DTDuy Tien Nguyeninduytien.dev·8h ago · 7 min readOne assumption, four different trust mechanismsSigning infrastructure is invisible until it fails. And when it fails, the question that comes up is rarely "what broke technically" - it's "who actually did this." JWT, mTLS, HSM-backed signing, bloc00
Iitworkedonmymachineinitworkedonmymachine.hashnode.dev·18h ago · 6 min readStop Stashing Secrets: Generating Secure JWTs with AWS KMSIf your modern backend stack issues JSON Web Tokens (JWTs) to handle authentication, how are you securing the signing keys? If you are following the standard documentation for most modern application 10
YPYogeshwar Peelainexploitnotes.hashnode.dev·12h ago · 4 min readFAM CTF : The Vault Door WriteupSummary NexaVault is a mock internal dashboard app that gates an "Admin Vault" panel behind a role claim in a JWT. The app issues a user-role token on login, stored in the nx_access cookie, and trusts00
RMRenukashree Muraliinquietbytes.hashnode.dev·13h ago · 5 min readJWT Attack Lab — Part 8: Algorithm Confusion, and a Bug the Attack Uncovered By AccidentPart 8, the final stage in a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it. Part 7 closed a gap in expiry enforcement. This last stag00
RMRenukashree Muraliinquietbytes.hashnode.dev·18h ago · 4 min readJWT Attack Lab — Part 7: When exp Isn't Actually Enforced EverywherePart 7 of a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it. Part 6 spoofed a JWKS URL to bypass RS256 verification entirely. This part00
RMRenukashree Muraliinquietbytes.hashnode.dev·19h ago · 4 min readJWT Attack Lab — Part 6: Spoofing the JWKS URL an RSA Verifier TrustsPart 6 of a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it. Part 5 exploited kid to point a local file lookup somewhere unintended. Th00
RMRenukashree Muraliinquietbytes.hashnode.dev·20h ago · 4 min readJWT Attack Lab — Part 5: Path Traversal Through the kid HeaderPart 5 of a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it. Part 4 cracked a weak HMAC secret offline with hashcat. This part doesn't 00
RMRenukashree Muraliinquietbytes.hashnode.dev·21h ago · 4 min readJWT Attack Lab — Part 4: Cracking a Weak HMAC Secret With HashcatPart 4 of a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it. Part 3 fixed the alg: none bypass by explicitly restricting which algorith00
YPYogeshwar Peelainexploitnotes.hashnode.dev·1d ago · 4 min readHackTheBox : WayWitch WriteupSummary The ticket portal generates guest session JWTs client-side, signing them with an HMAC secret (halloween-secret) that's hardcoded directly in the page's JavaScript. Since the server verifies to00
RMRenukashree Muraliinquietbytes.hashnode.dev·1d ago · 4 min readJWT Attack Lab — Part 3: Protecting a Route, Then Bypassing It With alg: nonePart 3 of a series building a Flask API with JWT authentication, then deliberately exploiting six real vulnerabilities in it. Part 2 covered what a JWT actually is and how one gets issued. This part p00