Hey there, back again with another post! 😄
In this post I’ll be sharing an interesting finding from an internal web pentest where I discovered an account takeover vulnerability caused by a JWT misconfiguration. In this write-up, I’ll walk you through my approach step by step how I identified the flaw and ultimately escalated from a normal user to an admin.
If you haven’t checked out my previous posts yet, feel free to give them a read too! 😁…Alright, Lets Get Started
Before we start let’s go through some basics what is JWT and why is it used?
Basically JWT or Json Web Token are a popular way for applications to handle authentication and authorization. Instead of storing session data on the server, JWTs allow the server to issue a self-contained token to the client, which is then used to prove identity on every request.
Press enter or click to view image in full size
It’s basically consist of 3 parts header.payload.signature.
Header contains metadata about the token, like which algorithm was used to sign it and Payload contains the actual user data (called claims). These part is encoded in Base64 so we can decode it to…