JWT (not) revoked token¶
RootMe challege: JWT - Revoked token:
Two endpoints are available :
POST : /web-serveur/ch63/login
GET : /web-serveur/ch63/admin
Gain access to the admin endpoint.
Developer blacklists full JWT or hash of the JWT, instead of revoking the JTI (JWT id).
Change request method to POST:
Get token for admin:admin:
Use the token to get the flag (add an = at the end of it).
Techniques¶
Counter moves¶
JWT (not) revoked token is the case here. Server-side validation and least privilege are what these reduce to. The defender’s view can be found in the blue notes on the application layer as a target.