JSON Web Token II

This exercise covers the exploitation of an issue with some implementations of JWT

1-2 Hrs.
Yellow Badge


The course delves into the exploitation of vulnerabilities in the JWT signature mechanism. It emphasizes how JWTs, used for authentication, can be tampered with by changing the algorithm from RSA (RS256) to HMAC (HS256). This allows an attacker to forge a valid signature using the public key, which is meant for verification only. The course includes hands-on steps to decode the JWT, change the algorithm, alter the username to "admin," and recompute the signature to gain admin access.

The video transcript complements the course by providing a step-by-step guide on crafting and exploiting the JWT using Python. It highlights the process of decoding the JWT, altering the signature algorithm, and using Python scripts to generate a new, valid JWT. The video also covers the nuances between Python 2 and Python 3 in this context, ensuring learners can adapt to modern coding practices.

Want to learn more? Get started with PentesterLab Pro! GO PRO