Course

This exercise delves into the exploitation of the `jku` header within JWT tokens, specifically aimed at forging a token to gain admin privileges. Building on previous exercises (JWT VIII and IX), you'll learn how to create a private and public key pair, craft a JWK file, and use a header injection vulnerability to serve this JWK file from a trusted URL. The key challenge here is to bypass URL restrictions by exploiting the application's header injection vulnerability, which allows the URL to start with a trusted application.

You'll start by generating RSA keys and creating scripts to extract necessary parameters (`n` and `e`), serve the JWK file via header injection, and sign the JWT payload. Despite the application's caching and URL restrictions, you'll learn to modify the URL and ensure the algorithm matches (`RS256`). By the end of the exercise, you will have successfully forged a JWT token and bypassed the signature mechanism, demonstrating a critical vulnerability even in signed payloads.