mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 09:27:32 +00:00
Update hacking-jwt-json-web-tokens.md
Reference https://asecuritysite.com/encryption/ecd5
This commit is contained in:
parent
0954fe38a8
commit
e07c0f6d07
1 changed files with 6 additions and 0 deletions
|
@ -246,6 +246,12 @@ console.log('Parameter e: ', publicComponents.e.toString(16));
|
||||||
|
|
||||||
Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io) to forge a new valid JWT with any information.
|
Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io) to forge a new valid JWT with any information.
|
||||||
|
|
||||||
|
### ES256: Revealing the private key with same nonce
|
||||||
|
|
||||||
|
If some applications use ES256 and use the same nonce to generate two jwts, the private key can be restored.
|
||||||
|
|
||||||
|
Here is a example: [ECDSA: Revealing the private key, if same nonce used (with SECP256k1)](https://asecuritysite.com/encryption/ecd5)
|
||||||
|
|
||||||
### JTI (JWT ID)
|
### JTI (JWT ID)
|
||||||
|
|
||||||
The JTI (JWT ID) claim provides a unique identifier for a JWT Token. It can be used to prevent the token from being replayed.\
|
The JTI (JWT ID) claim provides a unique identifier for a JWT Token. It can be used to prevent the token from being replayed.\
|
||||||
|
|
Loading…
Reference in a new issue