Exploiting JWT - Lack of Signature Verification
TL;DRHere goes the short PoC -
WebApp using JWT for authentication.
Removed the signature - Signature is not being verified - Token still works.
Modified and Re-encoded payload to get an Account takeover.PS: Header was untouched - "alg": "HS256"
A ...
blog.dixitaditya.com3 min read