JWT XI

This exercise delves into the exploitation of the jku header within JWT tokens, specifically aimed at forging a token to gain admin privileges. Building on previous exercises (JWT VIII and IX), you'll learn how to create a private and public key pair, craft a JWK file, and use a header injection vulnerability to serve this JWK file from a trusted URL. The key challenge here is to bypass URL restrictions by exploiting the application's header injection vulnerability, which allows the URL to start with a trusted application.

You'll start by generating RSA keys and creating scripts to extract necessary parameters (n and e), serve the JWK file via header injection, and sign the JWT payload. Despite the application's caching and URL restrictions, you'll learn to modify the URL and ensure the algorithm matches (RS256). By the end of the exercise, you will have successfully forged a JWT token and bypassed the signature mechanism, demonstrating a critical vulnerability even in signed payloads.