| CARVIEW |
Select Language
HTTP/2 200
date: Wed, 30 Jul 2025 17:19:28 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"ffe67afa89dc8ac50c1ec2f4d819272f"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=otrLzZkDNK56%2FGD%2FmQFdd0CUi8QnovHsLJkgDhjUIFR%2FRnbS0Nj3ZHDE0cH4ZTX9f2GjSoyzIxJ9Hrpu50Tol%2F6kQ2DfjYMt3i3nCqKFFB7qkM1hyNOHZWiYRyA6Ynsg6jU9AOyO2VDyrG%2FcLfEigM7InkQxecNphdgiFoaP7mm42gexKVQRF4oyHnZ3Yd3r%2BCB0f9zggRYa80HNNUyNfp%2BQong%2F%2FVmrWZ5OjLnnfu5UPeaUdWayqAETj0LAME2yuCtOdSRIV7ramHAMPP1Eog%3D%3D--mteKEsevmhHQ%2FTbr--j%2BYvHAQd3ClCuTfCXNPH9A%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.2131939963.1753895967; Path=/; Domain=github.com; Expires=Thu, 30 Jul 2026 17:19:27 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Thu, 30 Jul 2026 17:19:27 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: CC2A:3FB2D:14ED28:18C2C4:688A541F
Finding Public Keys · ticarpi/jwt_tool Wiki · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 724
Finding Public Keys
ticarpi edited this page Nov 14, 2019
·
2 revisions
In order to try some of the attack paths for tokens with asymmetric encryption we may need to find the Public Key. There are a number of possible methods.
In some cases the token might be signed with the Private Key of the webserver's SSL connection. Grabbing the x509 and extracting the Public Key from SSL is simple enough:
$ openssl s_client -connect example.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > certificatechain.pem
$ openssl x509 -pubkey -in certificatechain.pem -noout > pubkey.pem
To verify a token a service may expose the Public Key via an API endpoint such as "/API/v1/keys". The location should be listed is the API's docs (if you have access to them), or you may see traffic to this endpoint in your proxy history.
Another common alternative is exposing a key (or set of keys) in a JWKS (JSON Web Key Store) file. Some common locations for this would be:
- /.well-known/jwks.json
- /openid/connect/jwks.json
- /jwks.json
- /api/keys
- /api/v1/keys
Other locations for JWKS files may be platform-specific, so it's worth checking the docs (or Googling).
There are two standard header claims that can direct the service to the Public Key for verification:
- jku - a claim pointing towards the JWKS URL
- x5u - a claim pointing towards the X509 certificate location (could be in a JWKS file)
A further claim that could hint at the location of a Public Key is the iss payload claim, which shows the name or URL of the body that created the JWT, which may be an external service or API. Use this information to direct your search towards the likely locations for the Issuer's Public Key.
Finally you may just be lucky enough to spot a verbose error from the application (or external Issuer). To try to force an error you should submit a mixture of 'broken' tokens:
- Broken signature
- Invalid Base64 format (leave in the padding)
- Invalid Base64 mode (use URL-safe, standard, out URL-encoded)
- Invalid claim values (wrong URLs, etc.)
- Invalid algorithms ("alg")
- Invalid JWT type ("typ")
- Wrong value mode (string/integer/float/Boolean)
- Try anything you can think of to break it!
Clone this wiki locally
You can’t perform that action at this time.