YPYogeshwar Peelainexploitnotes.hashnode.dev·6h ago · 4 min readHackTheBox : WayWitch WriteupSummary The ticket portal generates guest session JWTs client-side, signing them with an HMAC secret (halloween-secret) that's hardcoded directly in the page's JavaScript. Since the server verifies to00