JWT Attack Lab — Part 7: When exp Isn't Actually Enforced Everywhere
Part 7 of a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it.
Part 6 spoofed a JWKS URL to bypass RS256 verification entirely. This part
quietbytes.hashnode.dev4 min read