CVE-2015-9235

This repository contains a Go-based tool for testing and exploiting various JWT vulnerabilities, including CVE-2020-28042 (empty signature attack). It supports multiple attack modes such as modifying the algorithm to 'none', signature validation bypass, and key injection.

This repository contains a functional Python script that exploits CVE-2015-9235 by manipulating JWT tokens to bypass verification when asymmetric keys are expected but symmetric keys are used. It allows replacing a key-value pair in the JWT payload and recalculating the signature using HMAC-SHA256.

This repository contains a functional Python script that exploits CVE-2015-9235, a JWT key confusion vulnerability in the jsonwebtoken Node.js module. The script modifies a JWT payload and resigns it using HMAC-SHA256, bypassing verification when the original token was signed with an asymmetric algorithm.

This repository contains a functional proof-of-concept exploit for CVE-2015-9235, demonstrating a JWT key confusion attack. The exploit manipulates the JWT header to switch from RS256 to HS256 and uses the public key embedded in the token to sign a tampered payload, bypassing authentication.

This repository demonstrates a functional exploit for CVE-2015-9235, an algorithm confusion attack on JWT libraries. The exploit forges a JWT by changing the algorithm from RS256 to HS256 and signing it with the public key, bypassing authentication to achieve admin privileges.