- by x32x01 ||
While testing a web app, you find an endpoint that accepts a JWT in the Authorization header.
The server verifies tokens but does not enforce the alg value from a trusted list, and you notice a token signed with alg: "HS256".
You try changing the token header to alg: "none", and the server accepts it.
What’s the most serious impact an attacker could achieve from this vulnerability?
Options
Comment your answer below 👇
The server verifies tokens but does not enforce the alg value from a trusted list, and you notice a token signed with alg: "HS256".
You try changing the token header to alg: "none", and the server accepts it.
What’s the most serious impact an attacker could achieve from this vulnerability?
Options
- Steal users’ plain-text passwords from the database
- Forge tokens to impersonate an admin account and gain full app access
- Trigger server-side Remote Code Execution (RCE) immediately
- Cause a Denial of Service (DoS) by flooding token verification requests
Comment your answer below 👇
Last edited:
