pollpals
SRC: https://library.m0unt41n.ch/challenges/pollpalsTypical JWT misconfiguration or lets call it completly fucked up flow/logic/implementation.
The isAdmin function in auth.js has no signature check for the JWT, it just accept any JWT and extracts its info...
JavaScript:
const parts = token.split('.');
const header = JSON.parse(Buffer.from(parts[0], 'base64').toString('utf8'));
const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString('utf8'));
// ...
if (username.includes('admin') && isAdmin === true) {
next(); // Zugriff erlaubt
}This allows us too quickly froge a malicious JWT with py or a tool like https://jwt.io/ and set the JWT into the polls cookie and visit /admin/flag
