Lab 114 — APIForge — JWT JKU Header Injection for Privilege Escalation

hackadvisor

Task: API management platform using RS256 JWT with JKU federation support; admin config endpoint requires admin role. Solution: Generate custom RSA key pair, host JWKS on lab's internal interaction server, forge JWT with jku header pointing to attacker-controlled JWKS and role:admin to bypass signature verification and access admin panel.