From 34ed1c60cc8c307f59ccc43a4d6f5c4eeee2f39f Mon Sep 17 00:00:00 2001
From: clem9669 <18504086+clem9669@users.noreply.github.com>
Date: Thu, 7 Jan 2021 14:19:50 +0000
Subject: [PATCH] Update hacking-jwt-json-web-tokens.md

Typo
---
 pentesting-web/hacking-jwt-json-web-tokens.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pentesting-web/hacking-jwt-json-web-tokens.md b/pentesting-web/hacking-jwt-json-web-tokens.md
index 8acb57809..81d4f9b98 100644
--- a/pentesting-web/hacking-jwt-json-web-tokens.md
+++ b/pentesting-web/hacking-jwt-json-web-tokens.md
@@ -51,7 +51,7 @@ The algorithm RS256 uses the private key to sign the message and uses the public
 
 If you change the algorithm from RS256 to HS256, the back end code uses the public key as the secret key and then uses the HS256 algorithm to verify the signature.
 
-Then, using the public key and changing SR256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this: 
+Then, using the public key and changing RS256 to HS256 we could create a valid signature. You can retrieve the certificate of the web server executing this: 
 
 ```bash
 openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem #For this attack you can use the JOSEPH Burp extension. In the Repeater, select the JWS tab and select the Key confusion attack. Load the PEM, Update the request and send it. (This extension allows you to send the "non" algorithm attack also). It is also recommended to use the tool jwt_tool with the option 2 as the previous Burp Extension does not always works well.