API 03

This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.

PRO
Tier
Easy
< 1 Hr.
1664
API Badge

Course


In this challenge, you need to uncover a vulnerability that grants access to a key stored as a secret within the admin's account. By signing up as test@pentesterlab.com and creating a secret, you can explore the application's behavior through network inspection tools. The challenge involves manipulating the JWT token to bypass authentication mechanisms.

The video guide walks you through the process of capturing the network traffic, copying the JWT token, and attempting to manipulate it. When direct IDOR (Insecure Direct Object References) attacks fail, the focus shifts to tampering with the JWT token. By cracking the weak signature of the token using hashcat and the rockyou.txt password list, you can craft a valid token, impersonate the admin user, and retrieve the key for the challenge.

Want to learn more? Get started with PentesterLab Pro! GO PRO