[/MNT/AIN LIB] [WEB] pollpals

pollpals​

SRC: https://library.m0unt41n.ch/challenges/pollpals

Typical JWT misconfiguration or lets call it completly fucked up flow/logic/implementation.

The isAdmin function in auth.js has no signature check for the JWT, it just accept any JWT and extracts its info...

JavaScript: 
const parts = token.split('.');
const header = JSON.parse(Buffer.from(parts[0], 'base64').toString('utf8'));
const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString('utf8'));
// ...
if (username.includes('admin') && isAdmin === true) {
    next(); // Zugriff erlaubt
}

This allows us too quickly froge a malicious JWT with py or a tool like https://jwt.io/ and set the JWT into the polls cookie and visit /admin/flag

1752610300197-png.46


1752610313487-png.47
 

Attachments

  • 1752610300197.png
    54.1 KB · Views: 2
  • 1752610313487.png
    19.8 KB · Views: 2
Click to expand...
You must log in or register to reply here.

Online statistics

Members online
0
Guests online
1
Total visitors
1
Totals may include hidden visitors.

Latest posts

Newest members

Stay Connected

Back
Top