#jwt

Exploiting JWT - Lack of Signature Verification

TL;DRHere goes the short PoC - WebApp using JWT for authentication. Removed the signature - Signature is not being verified - Token still works. Modified and Re-encoded payload to get an Account takeover.PS: Header was untouched - "alg": "HS256" A ...