Lab 262 — PulseBoard — JWT Signature Bypass via Google Sign-In

hackadvisor

Task: PulseBoard collaborative workspace with Google Sign-In integration, JWT signature not verified. Solution: Forge JWT with alg:none targeting OAuth user to access privileged settings containing flag.

signature_bypass jwt authentication_bypass none_algorithm token_forgery google_oauth

privilege_escalationuser_enumerationjwt_none_algorithm_attackoauth_token_forgery

$ ls tags/ techniques/

signature_bypass jwt authentication_bypass none_algorithm token_forgery google_oauth

privilege_escalationuser_enumerationjwt_none_algorithm_attackoauth_token_forgery

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]PulseBoard— hackadvisor
[web][Pro]Lab 248 — PulseBoard — Next.js Middleware Authorization Bypass— hackadvisor
[web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor
[web][Pro]Lab 69 — TeamPulse — Reflected XSS in OAuth2 Error Callback— hackadvisor
[web][Pro]Lab 235 — CloudPulse — Cross-Tenant JWT Replay via Missing Tenant Binding— hackadvisor