Hack Your Own JWT Implementation

Thexssrat
4 min readDec 21, 2021

Introduction

JSON Web Tokens (JWT) are quickly becoming a great way of authorizing users to perform certain actions but a lot of things can go wrong as well in the implementation. We are going to build a JWT lab that does not check if the signature is valid but not before we give you an overview of what a JWT token looks like.

Make a connection

THE SERVER GETS ERASED EVERY 24 HOURS

  • [ ] FTP connection: hackxpert.com
  • [ ] User: Training
  • [ ] Password: test
  • [ ] Create a new file on the server
  • [ ] Use “nickname.php” for example “rat.php” where the nickname can be anything, as long as you can copy and paste it

Let’s create a way of generating JWT tokens

add the following code to your file:

(Source: https://roytuts.com/how-to-generate-and-validate-jwt-using-php-without-using-third-party-api/)

<?phpinclude('instructions.php');function generate_jwt($headers, $payload, $secret = 'secret', $encoding = 'SHA256') {
$headers_encoded = base64url_encode(json_encode($headers));
$payload_encoded = base64url_encode(json_encode($payload));
$signature = hash_hmac('SHA256', "$headers_encoded.$payload_encoded", $secret, true);
$signature_encoded = base64url_encode($signature);
$jwt = "$headers_encoded.$payload_encoded.$signature_encoded";
return $jwt;
}
function base64url_encode($str) {
return rtrim(strtr(base64_encode($str), '+/', '-_'), '=');
}
function is_jwt_valid($jwt, $secret = 'secret') {
// split the jwt
$tokenParts = explode('.', $jwt);
$header = base64_decode($tokenParts[0]);
$payload = base64_decode($tokenParts[1]);
$signature_provided = $tokenParts[2];
// check the expiration time - note this will cause an error if there is no 'exp' claim in the jwt
$expiration = json_decode($payload)->exp;
$is_token_expired = ($expiration - time()) < 0;
// build a signature based on the header and payload using the secret
$base64_url_header = base64url_encode($header);
$base64_url_payload =

--

--

Thexssrat

No b*llshit Hacking tutorials with extreme value in short bursts