Course

In this lab, we delve into the `jku` header in JWT tokens, demonstrating how to forge a token to become an admin. JWT allows users to link to a public key using the `jku` header, but this URL should never be trusted as an attacker can provide their own URL and sign the message with a corresponding private key. We will create a private and public key, construct a matching JWK file, and host it on a public server. Using an Open Redirect vulnerability, we will trick the application into trusting our malicious URL, allowing us to bypass the restriction that the JWK file's URL must start with a trusted application.

The exercise also covers practical steps like extracting `n` and `e` values from the private key, building scripts for JWT manipulation, and dealing with URL caching issues. By the end, you'll understand how even signed payloads can be exploited through clever manipulation of JWT headers and Open Redirects. This lab emphasizes the importance of not blindly trusting URLs in security-sensitive applications and provides insights into safeguarding against such vulnerabilities.