What is? JWT

Json Web Token (JWT), Is a kind of implementation based on the JSON Open standards for （RFC 7519.

        The token Designed to be compact and safe , Especially for single sign in of distributed sites （SSO） scene , Is the most popular cross domain authentication solution .JWT The declaration of is generally used to pass the authenticated user identity information between the identity provider and the service provider , To get resources from the resource server , You can also add some additional declaration information that other business logic requires , The token It can also be used directly for authentication , It can also be encrypted .

JWT Three parts of

• Header（ Head ）
• Payload（ load ）
• Signature（ Signature ）

         JWT Three parts for intermediate use . Division

        Well known , After logging into the account , The front end will receive the message from the back end JWT.JWT The first two paragraphs of the default is Base64 Coded , verification JWT Whether it has been tampered with depends mostly on the signature of the last paragraph .

        The back end usually specifies a signature algorithm （ Such as HMACSHA256 Algorithm ,secret It is generally defined by the back end , Must not leak , Otherwise, the attacker will be able to forge JWT request ）

       JWT Part three

HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

[JWTHub subject ]JWT The data of the header and payload are transmitted in plaintext , If it contains sensitive information , Sensitive information will be leaked . Try to find out FLAG. The format is flag{}

1.  Click the link to enter the topic environment

2.  Enter a user name and password randomly to log in .

3. open F12 Console , Find local storage and Cookie, Find out JWT There is Cookie in

4. Get JWT Go to jwt.io Website to parse ( Or press . Split into three segments , Take the first two paragraphs Base64 decode )

 5. Find out FLAG（ Half in Header, Half in Payload, Just splice them together ）

Give me a compliment if you like ~ Thank you very much!