webPromedium
Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation
hackadvisor
Task: API management platform using RS256 JWT with JKU federation support; admin config endpoint requires admin role. Solution: Generate custom RSA key pair, host JWKS on lab's internal interaction server, forge JWT with jku header pointing to attacker-controlled JWKS and role:admin to bypass signature verification and access admin panel.
$ ls tags/ techniques/
jwtnodejsauthentication_bypasstoken_forgeryexpressprivilege_escalationrsars256honeypot_detectionjkujwks
decoy_flag_identificationrole_based_access_control_bypassjwt_jku_header_injectionrs256_jwt_forgery_with_custom_keypairjwks_endpoint_spoofing
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 352 — PipeForge — Content-Type Confusion to Admin JWT Forge to RCE— hackadvisor
- [web][Pro]Lab 354 — VaultAPI — JWT Authentication Bypass via JWE-Wrapped PlainJWT— hackadvisor
- [web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor
- [web][Pro]Lab 350 — VaultKeeper— hackadvisor
- [web][Pro]Lab 12 — NewsGrid — JWT Algorithm Confusion— hackadvisor