Daily Hack

A fresh 60-second challenge every day. Solve it, earn XP, and keep your streak alive.

Next hack in --:--:--
Daily Hack #24

The none algorithm

Web & API Security Difficulty Medium ~5 min +10 XP

This API authenticates you from the claims inside your JWT. The header says alg:HS256, but the server has a classic flaw: it also accepts a token whose header says alg:none, treating it as already valid with no signature to check. In the workbench, switch the header algorithm to none and rewrite the payload so role becomes admin. The token rebuilds live as you type. Copy the whole forged token and submit it.

Play freely - sign up to submit your answer and earn XP.

Solved! +10 XP
First blood! You were first to crack today's hack.
How it works

Nice one!

Sign up free to claim your +10 XP and start your streak.

Claim +10 XP - sign up free
15,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free