From 045768a48bf4af528b8d1077112fe4f412d4f80b Mon Sep 17 00:00:00 2001 From: Sergej Schmidt Date: Mon, 1 Apr 2024 13:09:48 +0200 Subject: [PATCH] Fix intendation/scope for block responsible of jku-var exchange. I belive this addresses the problem described in issue #90. To reproduce the undefined var in line it I had to run in the scan mode "-M at" and you need a JWT that defines "jku" field. In that case the try block before succeds. That lead to the "jku" variable never to be defined. --- jwt_tool.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/jwt_tool.py b/jwt_tool.py index 9647dbe..cc14800 100644 --- a/jwt_tool.py +++ b/jwt_tool.py @@ -1433,10 +1433,10 @@ def scanModePlaybook(): origjku = headDict["jku"] except: origjku = False - if config['services']['jwksloc']: - jku = config['services']['jwksloc'] - else: - jku = config['services']['jwksdynamic'] + if config['services']['jwksloc']: + jku = config['services']['jwksloc'] + else: + jku = config['services']['jwksdynamic'] newContents, newSig = exportJWKS(jku) jwtOut(newContents+"."+newSig, "Exploit: Spoof JWKS (-X s)", "Signed with JWKS at "+jku) if origjku: