Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update hacking-jwt-json-web-tokens.md

Browse source 
Reference https://asecuritysite.com/encryption/ecd5
This commit is contained in:
Mane 2024-03-28 16:12:09 +08:00 committed by GitHub
parent 0954fe38a8
commit e07c0f6d07
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
pentesting-web/hacking-jwt-json-web-tokens.md
View file

@ -246,6 +246,12 @@ console.log('Parameter e: ', publicComponents.e.toString(16));
Finally, using the public and private key and the new "n" and "e" values you can use [jwt.io](https://jwt.io) to forge a new valid JWT with any information.
### ES256: Revealing the private key with same nonce
If some applications use ES256 and use the same nonce to generate two jwts, the private key can be restored.
Here is a example: [ECDSA: Revealing the private key, if same nonce used (with SECP256k1)](https://asecuritysite.com/encryption/ecd5)
### JTI (JWT ID)
The JTI (JWT ID) claim provides a unique identifier for a JWT Token. It can be used to prevent the token from being replayed.\