- by x32x01 ||
You’re testing a web app and find an endpoint that accepts a JWT in the Authorization header.The server verifies tokens but does not enforce the alg value from a trusted list, and you see a token signed with alg: "HS256".
You try changing the token header to alg: "none" and the server accepts it.
What is the most serious impact you can achieve from this vulnerability? 
- Steal users’ plain-text passwords from the database
- Forge tokens to impersonate an admin account and gain full app access
- Trigger server-side remote code execution (RCE) immediately
- Cause a DoS by flooding token verification calls
