Vulnerable JSON Service

Attacking JSON Signature
Attacking JSON Encryption

Task: Bypass the signature verification and set the iban to DE66 6666 6666 6666 66 to receive the flag.

💳 Example token


                                    eyJ0eXAiOiJKV1QiLCJnaWQiOiI0OTA2YWNmNy1hNzlhLTQ1ZWItOTkxOS1mNzkxNThlYWM3MmEiLCJhbGciOiJSUzI1NiIsImp3ayI6eyJrdHkiOiJSU0EiLCJlIjoiQVFBQiIsInVzZSI6InNpZyIsImtpZCI6ImNlZDJhMDY1LTlmNTMtNGMyMi1iODcyLTcwMmRhOTA2ZmQwNCIsIm4iOiJpWUpxa3lHNmo4QXRhdkVWZzhVRFdoYWwzSUNWeGNoZ1dXVkJnb1ZkbnpfeGlmdG0tWURYUjZsRHJZYi1GSnZ1YjFneTJjdHB3Ry1OVVU4VHpLUEoyUGdGTDNZRzN0YW5sZFhtLWpMb29TZ0xQU2dERzJNc0Vrc1dUb19pcWpWSko4b0dYVmVjNUhLUVU5MGdjcUJRUFBNVmpaMzhCRDlma3BiYVlOLVhDNlRPQ2I1TjVLYjA0a2ladnVmNmR0ck1FdGxyVGhxdFVzRmV4UE5Xek9HQlNxOVpNRWlaNW44TGM0dlVWMnREWHpvT25UVkFjX0dJeUdrVVdRUTBnbzljRVVxb0VRNjkzS3E4OUZrMldrX2RDZ1NPOG5fOU5RbkZpeGNKdWNzOUpORDJqNWpISjVqbTBmY0p2MGFHbEhsSjBhVjlrSGNoSFA3N3hRdDF1X3AyUXcifSwia2lkIjoiY2VkMmEwNjUtOWY1My00YzIyLWI4NzItNzAyZGE5MDZmZDA0In0.eyJhdWQiOiJWbGFkaXNsYXYuTWxhZGVub3YiLCJhbW91bnQiOiI5OSIsImliYW4iOiJERTcyIDEyMzQgNTY3OCA4OTAxIDIzIiwiaXNzIjoiQ2hyaXN0aWFuLk1haW5rYSJ9.A8zvAACijfz3vgo2st0_W3DUbZHaVEg3RbvxyF8ItNVQHZk7ar2zrOhUJbpXSzspdkjNJA2CSBjRbAc32u4wQF5vHICRkUve9Y8kLBPLY0CBFSfWmdLkKiwJSjZb3vk5o11PDSUsEs3AQ-5vG9rogozpXHrxbTcMu1D-wj3Dw0IcwUbHYI1-2SHIcpHdofW8_3rxgZ8QmcPljzWPWWjZ-PmUX9G1P2-gpvC79qJuuCjRVz8yDAS-TmL52pg49Yb_f6m8LIjwEYvJT-CrcUyjBt36Jd3JG4ulWb8X-3XcRhCYC0MnpcpSeziL9GC-IVrvPi4_oJvyKBaX3CWE-YGALQ

Select your verifier:

Trivial Attack

Verifier 1

💡 Hint?

What should you always do first before starting any attack?

Signature Exclusion

Verifier 2

💡 Hint?

Perhaps, some insecure signing algorithms are supported?

Verifier 3

💡 Hint?

What about different speLliNgS of the algorithm?

Key Confusion

Verifier 4

💡 Hint?

Perhaps, a confusion between symmetric and asymmetric cryptography is applicable. There was an interesting bug recently, in which the modulus was used for HMAC verification.

Verifier 5

💡 Hint?

Perhaps, a confusion between symmetric and asymmetric cryptography is applicable. The PEM format is just so simple and intuitive. Sometimes, secrets are base64 encoded, so make sure to check the secret base64 encoded checkbox on JWT.io.

Verifier 6

💡 Hint?

Trust establishment is essential for JWTs. Generating your own key should be no problem for you.

Insecure Features

Verifier 7

💡 Hint?

There are different possibilities for SSRF attacks. Did you know that you can place a jwk in the JWT header?

Message to validate:

Validation Result:

Message to decrypt:

Decryption Result: