About stthjpv
stthjpv is a security protection tool for JWT Payload, this tool integrates a variety of technologies and ideas, and can prevent Payload from being decoded by constantly changing the relevant parameter values, so as to help researchers better protect the security of JWT Payload.
In addition to this, the tool ensures that the output of the JWT Payload remains in a state that is difficult to read and understand after it has been decoded. It's worth mentioning that the tool is very fast, has high performance, and has low overhead.
What is the JWT token?
JSON Web Token (JWT) is a URL security method that passes JSON messages between two communicating parties, which is small and secure enough. At the same time, it is also a standard specification defined in RFC 7519. A JWT is a long string separated by dots into sections, each of which is Base64 URL encoded.
The parts of the data in the token depend on the type of JWT (whether JWS or JWE). If a token is signed, it will consist of three parts: the header, the payload, and the signature. If the token is cryptographed, it will consist of five parts: the header, the encryption key, the initialization vector, the payload, and the authentication identity. The most common use case for JWTs is as access tokens and ID tokens in OAuth and OpenID Connect flows, but they can also be used for different purposes.
Tool features
This tool is designed to enhance the security of the Payload part when decoding JWT tokens. Generally speaking, when we decode the JWT token (Base64), the Payload part is in plaintext, and the tool can encrypt or obfuscate the Payload value to make it more difficult for others to decode or analyze the Payload.
Tool dependencies
PyJWT
Tool installation
Since the tool is based on Python 3.11, we first need to install and configure the latest version of Python 3 on our local device.
Next, researchers can directly use the following command to clone the source code of the project to the local computer:
git clone https://github.com/password123456/some-tweak-to-hide-jwt-payload-values.git Then switch to the project directory and use the pip command and the other dependencies provided by the project requirements.txt install the tool:
cd some-tweak-to-hide-jwt-payload-values
pip3 install -r requirements Tool use
# python3 main.py
- Current Unix Timestamp: 1709160368
- Current Unix Timestamp to Human Readable: 2024-02-29 07:46:08
- userid: 23243232
- XOR Symmetric key: b'generally_user_salt_or_hash_or_random_uuid_this_value_must_be_in_dbms'
- JWT Secret key: yes_your_service_jwt_secret_key
- Encoded UserID and Timestamp: VVZcUUFTX14FOkdEUUFpEVZfTWwKEGkLUxUKawtHOkAAW1RXDGYWQAo=
- Decoded UserID and Hashed Timestamp: 23243232|e27436b7393eb6c2fb4d5e2a508a9c5c
- JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0aW1lc3RhbXAiOiIyMDI0LTAyLTI5IDA3OjQ2OjA4IiwidXNlcmlkIjoiVlZaY1VVRlRYMTRGT2tkRVVVRnBFVlpmVFd3S0VHa0xVeFVLYXd0SE9rQUFXMVJYREdZV1FBbz0ifQ.bM_6cBZHdXhMZjyefr6YO5n5X51SzXjyBUEzFiBaZ7Q
- Decoded JWT: {'timestamp': '2024-02-29 07:46:08', 'userid': 'VVZcUUFTX14FOkdEUUFpEVZfTWwKEGkLUxUKawtHOkAAW1RXDGYWQAo='}
# run again
- Decoded JWT: {'timestamp': '2024-02-29 08:16:36', 'userid': 'VVZcUUFTX14FaRNAVBRpRQcORmtWRGleVUtRZlYXaBZZCgYOWGlDR10='}
- Decoded JWT: {'timestamp': '2024-02-29 08:16:51', 'userid': 'VVZcUUFTX14FZxMRVUdnEgJZEmxfRztRVUBabAsRZkdVVlJWWztGQVA='}
- Decoded JWT: {'timestamp': '2024-02-29 08:17:01', 'userid': 'VVZcUUFTX14FbxYQUkM8RVRZEmkLRWsNUBYNb1sQPREFDFYKDmYRQV4='}
- Decoded JWT: {'timestamp': '2024-02-29 08:17:09', 'userid': 'VVZcUUFTX14FbUNEVEVqEFlaTGoKQjxZBRULOlpGPUtSClALWD5GRAs='} Screenshot of the tool running
License Agreement
This project is developed and released under an open source license.
Project address
stthjpv:https://github.com/password123456/some-tweak-to-hide-jwt-payload-values