API 02

This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.

< 1 Hr.
API Badge


This challenge involves finding a vulnerability that grants access to a secret key stored in the account of the user admin@libcurl.so. You will begin by signing up for the web application and creating a secret. By monitoring network traffic, you will uncover key API calls and responses. Through this process, you'll explore JWT tokens and learn to manipulate them to bypass security checks.

The exercise builds on a previous badge challenge to further develop your vulnerability detection skills. By experimenting with JWT tokens, you'll discover how to alter the payload to gain unauthorized access to the secret key. The main issue here is the application's failure to validate JWT signatures properly, allowing attackers to modify the token payload and impersonate other users.

Want to learn more? Get started with PentesterLab Pro! GO PRO