Ainsley Woo - Hack the Threat | Cybersecurity Portfolio

Connection Information

Objective

Exploit JWT vulnerabilities to forge an admin token and access the protected admin panel.

Scenario

The application uses JWT tokens for authentication. After logging in as a regular user, you notice the JWT implementation might have security flaws. Can you escalate your privileges to admin?

Hints

Hint 1

Check the JWT header carefully - what algorithm is being used?

Hint 2

The "alg: none" attack might be worth trying

Hint 3

Also consider the "alg: HS256" to "alg: RS256" confusion attack

Hint 4

Use jwt.io to decode and analyze the token structure

Spoiler Warning: The solution below contains the complete walkthrough. Try to solve the challenge yourself first!

Solution

This challenge exploits common JWT implementation vulnerabilities including algorithm confusion and the none algorithm.

Step 1: Register and Login

Create a regular user account and capture the JWT token from the response.

Step 2: Decode the JWT

Use jwt.io or a decoder to examine the token structure.

step-2.sh

# Example JWT structure
{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "user": "normaluser",
  "role": "user",
  "exp": 1234567890
}

Step 3: Attempt None Algorithm

Try changing the algorithm to "none" and removing the signature.

Step 4: Access Admin Panel

Use the forged token to access the admin panel and retrieve the flag.

Flag

CTF{jwt_f0rg3ry_1s_d4ng3r0us}

Key Learnings

Never accept "alg: none" in JWT validation

Validate the algorithm matches expected type

Use strong secrets for HMAC signing

Implement proper token expiration and refresh mechanisms

Back to All Challenges

JWT Token Forge

Connection Information

Objective

Scenario

Hints

Solution

Step 1: Register and Login

Step 2: Decode the JWT

Step 3: Attempt None Algorithm

Step 4: Access Admin Panel

Flag

Key Learnings

Solution

Step 1: Register and Login

Step 2: Decode the JWT

Step 3: Attempt None Algorithm

Step 4: Access Admin Panel

Flag

Key Learnings