EncryptCodecencryptcodec
Simulations/JWT Key Injection

JWT Key Injection (JKU/X5U)

Advanced

The server fetches signing keys from the URL specified in the JWT's jku header. Point it to your own key server to forge valid tokens with any claims you want.

Progress:
1
Forge a Token via JKU Injection
2
Apply JKU Whitelist
JWT Token Editor
Server Security Settings
JWT Structure
HEADER
{
  "alg": "RS256",
  "typ": "JWT",
  "jku": "https://auth.corp.io/.well-known/jwks.json"
}
PAYLOAD
{
  "sub": "user123",
  "name": "Bob Smith",
  "role": "user",
  "exp": 1711929600,
  "iss": "auth.corp.io"
}
SIGNATURE
RSASHA256(header + payload, server_private_key)

Challenges

1
Forge a Token via JKU Injection
Change the jku header to point to your attacker-controlled JWK set URL and forge an admin token.
hints
2
Apply JKU Whitelist
Enable JKU whitelist and key pinning to prevent token forgery.
hints
How to fix JWT key injection
Whitelist JKU URLs and pin signing keys

Frequently Asked Questions