<!DOCTYPE html> <html> <head> <title>Leaky JWT</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" type="image/png" href="/public/img/favicon.ico"> <link href="/public/css/authlab.css" rel="stylesheet" type="text/css" /> <meta property="og:title" content="Authentication Lab - DigiNinja" /> <meta property="og:description" content="A set of authentication challenges covering a range of different technologies." /> <meta property="og:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> <meta property="og:type" content="website" /> <meta property="og:sitename" content="DigiNinja" /> <meta name="twitter:card" content="summary" /> <meta name="twitter:title" content="Authentication Lab - DigiNinja" /> <meta name="twitter:description" content="A set of authentication challenges covering a range of different technologies." /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:creator" content="@digininja" /> <meta name="twitter:domain" content="authlab.digi.ninja" /> <meta name="twitter:site" content="@digininja" /> <meta name="twitter:image" content="https://digi.ninja/graphics/twittercards/authlab_twittercard.png" /> </head> <body> <h1>Leaky JWT</h1> <p> Signed JWTs may look like secret data but are easy to decode. When the developer put this together, they just pulled the whole user object out of the database and put it into the token rather than only including the information required. </p> <p> You have acquired the following token from the local storage of your victim, decode it and use the information to login below. </p> <p> <textarea class="jwt_textarea" id="leaky_jwt_textbox">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsZXZlbCI6ImFkbWluIiwicGFzc3dvcmQiOiIyYWM5Y2I3ZGMwMmIzYzAwODNlYjcwODk4ZTU0OWI2MyIsInVzZXJuYW1lIjoiam9lIn0.6j3NrK-0C7K8gmaWeB9CCyZuQKfvVEAl4KhitRN2p5k</textarea> </p> <p> If you need help decoding the token, this is a good resource: <a href="https://jwt.io">JWT.IO</a>. </p> <p> If you get stuck, or want more information, see my <a href="https://digi.ninja/projects/authlab.php#landleakyjwt">walkthrough</a>. </p> <h2>Leaky Login</h2> <p class="error"> </p> <form method="post" action="/Leaky_JWT_Login"> <label for="username">Username</label> <input type="text" id="username" name="username" value="" autofocus /><br /> <label for="password">Password</label> <input type="password" id="password" name="password" value="" /><br /> <input type="submit" value="Login" /> </form> <p> <a href="/">Back to home</a> </p> <hr /> <p> Lab created by Robin Wood - <a href="https://digi.ninja">DigiNinja</a> </p> </body> </html>