Leaky JWT

Signed JWTs may look like secret data but are easy to decode. When the developer put this together, they just pulled the whole user object out of the database and put it into the token rather than only including the information required.

You have acquired the following token from the local storage of your victim, decode it and use the information to login below.

If you need help decoding the token, this is a good resource: JWT.IO.

If you get stuck, or want more information, see my walkthrough.

Leaky Login

Back to home

Lab created by Robin Wood - DigiNinja