Avatar

Labs / JWT Claims Manipulation

  • Daily Challenge
  • Released 31 Jul 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

JWT Claims Manipulation Challenge

Challenge Overview

You've discovered a web application that uses JWT (JSON Web Tokens) for authentication and authorization. The challenge requires you to manipulate JWT claims to escalate your privileges from a regular user to an administrator, but there's a critical time constraint that makes this attack more complex and realistic.

Real-World Context

JWT claims manipulation is a common vulnerability in applications where developers implement custom JWT validation logic. This challenge simulates a scenario where an attacker must craft a valid JWT with modified claims while working within tight timing constraints, similar to real-world attacks where tokens have short validity windows for security purposes.

Challenge Constraints

The application has strict validation rules: the JWT must have admin privileges, a valid signature, and most importantly, the token's validity window (exp - iat) cannot exceed 10 seconds. This forces attackers to work within realistic time constraints while maintaining all security requirements.

Learning Objectives

  • Understand JWT structure and claims manipulation
  • Learn to work with time-based constraints in security testing
  • Practice JWT encoding and signing techniques
  • Perform privilege escalation through role manipulation
  • Understand the importance of timing in real-world attacks

First Blood 🩸
3xpl0it3r