webPromedium

Lab 12 — NewsGrid — JWT Algorithm Confusion

hackadvisor

Task: News CMS with JWT-based authentication where role is stored in token claims; admin config endpoint requires admin role. Solution: Forge JWT with alg:none and role:admin to bypass signature verification and access the admin configuration API containing the flag.

$ ls tags/ techniques/

jwt nodejs authentication_bypass token_forgery hs256 privilege_escalation role_bypass cms alg_none honeypot_detection

jwt_token_forgerydecoy_flag_identificationjwt_none_algorithm_attackrole_based_access_control_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor
[web][Pro]Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation— hackadvisor
[web][Pro]Lab 350 — VaultKeeper— hackadvisor
[web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor
[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor