JWT Authentication Bypass via Algorithm Confusion with No Exposed Key

👩‍🎓👨‍🎓 Learn about JSON Web Token (JWT) vulnerabilities. This lab uses a JWT-based mechanism for handling sessions. It uses a robust RSA key pair to sign and verify tokens. However, due to implementation flaws, this mechanism is vulnerable to algorithm confusion attacks. To solve the lab, we'll first obtain the server's public key. This is exposed via a standard endpoint. Next, we'll use this key to sign a modified session token that grants access to the admin panel at /admin, then delete the user carlos. Overview: 0:00 Intro 0:12 Recap 1:18 Deriving public keys from existing tokens 2:29 Lab: JWT authentication bypass via algorithm confusion with no exposed key 3:15 Solution: jwt_forgery.py (rsa_sign2n) 6:56 Conclusion If you're struggling with the concepts covered in this lab, please review the Introduction to JWT Attacks video first:    • Introduction to JWT Attacks   🧠 For more information, check out https://portswigger.net/web-security/jwt 🔗 ‪@PortSwiggerTV‬ challenge: https://portswigger.net/web-security/... 🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register 👾 Join our Discord - https://go.intigriti.com/discord 🎙️ This show is hosted by   / _cryptocat   ( ‪@_CryptoCat‬ ) &   / intigriti   👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com