Token jwt decrypt



  • when I get the login request on a website, the email and password were supposed to appear in texView but I get a jwt token, how can I decrypt this?

    jwt.png

    {"jwe":"eyJraWQiOiJlNjY0NTg4ZS0yNjY1LTQzYmMtYjQ5Ny1mYmVmZGEzYTI2ZGYiLCJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.bAYq1SfpOXpUALY8mQ_omfutvwB37se6xLw29NcSIkEyZVlERSbJpE1eX_kgU7jEW1FUNGgVeoabmMl-3C8MGk5rc4KAE9iod-zCRP46ylRSXFbYu3_kMXlNfM7-W1G2PGPmywgROMOMjsVarg1vj-gFm--88vUEM-ZL9kQI7gVTzZPB_jwrJzGAp0AeEQE1H9xkkHuU-41piWKcH2_X28F1TKJcMNkvaazl1th1fllAZH8P19xsA6eoD1PbCDIwhoJNzvhct2CG6uE1xY4jTZLPGxARn7fF-QubW0IZacxP9MYqZao9wuOH1iW8z-rGSm2CcNlsE_X9ntSjfatfxx7izDe5dSY1emMcDb9xcWrmGGlhkduAUxQv3BMlZ7SHCcM-MEYsg3FG8vMOrxHG4EWPhr4_aOaWg_EV8LD6VFJMRPF5bQEigv-XomheYtZF5KYkCJJ_6CQpzO3LQqa4xL14Nj3B9vj5yEXyY9YGYZQMVGZde5n3RGSGNfMdQa2oJxW9cs94zkafCF4he0qVxcEPiXYQVMESvAE_y3G8UOegwKmcttLIJQJ1mVIzhkAyWPzjTjEgwtQmdxu1Hkt37F30KpIvAGwkhjpcEsOqsf8eT5IZZh21wsrjs-isYsPBsH-fQoM1V8XZyEOi3LI6knPGMz_4bGYSNEfwUOq1-bw.dvuMp84sSnRb9--R.TVVrdqV_oluz54mSHdQNnxnhaJE4ULoJBr3LFFZcAJjEdWPlh97Q8VRd7uiWGsEiawaX6L2FsYaX39OImhddDhcYoHOOnEEAi7HBTlvw1RZHxcml_7LnznH7u53DzDHUesunoRPxT_99-5veBznlCXDiBufe40XRlVLYs1zIrQjxyMp4u6V0UM4EFzsO.LWik0fBAnGH1lX4N1m_2EQ"}
    

  • Admin



  • @Ruri {"kid":"e664588e-2665-43bc-b497-fbefda3a26df","alg":"RSA-OAEP-256","enc":"A256GCM"}
    what do i do with it?


  • Admin

    The jwt is used for authentication so just send it to the website to prove that you're authed



  • @Ruri
    how do I do this, if I do not format the USER AND PASS?



  • @Ruri I want to discover this jwt, to put the USER AND PASS IN PostData



  • i know but i cant explain it because im arabic..sorry



  • @ramadan77
    I'm using google translator. Why don't you do it for us to communicate too?



  • This post is deleted!


  • @ramadan77
    I understand, and what do I do?



  • @ramadan77 i think he is trying to say that this is the whole post data that contain the login information. This isn't a request before the login request.



  • This post is deleted!


  • @ramadan77 Yo, what? lol I'm fine and you?



  • @ramadan77 did you understand what snowy said?



  • it's easier to use the App for even if it presents JWT you can solve the issue by reverse engineering the App



  • If you wanna easily decode a JWT in OB Use this:

    PARSE "<JWT>" LR "." "." -> VAR "JWT" 
    
    FUNCTION Base64Decode "<JWT>" -> VAR "Decoded" 
    


  • @spicy said in Token jwt decrypt:

    If you wanna easily decode a JWT in OB Use this:

    PARSE "<JWT>" LR "." "." -> VAR "JWT" 
    
    FUNCTION Base64Decode "<JWT>" -> VAR "Decoded" 
    

    decoding the JWT will show the payload head as a start, which contains the type of encryption, the second part contains the payload data. the third part of the JWT is the signature which needs the sign key.



  • @Fairy Yes but he asked how to decode it at first.



  • Decoding a hashed password/token/string is impossible for it goes only one way, from plain text to hash.
    Of you want to know what the hash is you have to know the plain text and the type of encryption/hash and then hash the plain text and compare both hashes and see if they are compatible.
    Now about the JWT, you can decode it using Base64 decode function which will decode only the payload head and the payload data.
    The third part is an encryption using HMAC and a secret key to sign the signature and can not be decoded, same as hashes you can only compare the signatures after encryption.
    The payload head would give you the type of encryption/hash used in the JWT. Such as SHA1... Etc
    Now if you want to alter the payload data, you need to sign the payload head and payload data using the private key as an HMAC key with the type of hash provided in the payload head, and then send the payloads along with their signature.
    I hope I have answered all the questions regarding JWT


Log in to reply