A sample JWT web app that can be use to demonstrate how to escalate permissions by cracking and forging JWT tokens
This is a simple application where you can login as a user with normal privileges (so normal that you can't do anything!) and by hacking the session id (which is a simple JWT) you should try to escalate your privileges to being an admin.
npm install
)npm start
)The app can be configured through environment variables before running the server.
The configuration variables available are:
USERNAME
: the username accepted for login (default luciano
)PASSWORD
: the password to pass for the login (default mariobros
)SECRET
: the secret used to sign the jwt token (default secret
)To understand better why this project exists and how to take advantage of it you should have a look at the following slides deck:
You should also check (and maybe use) lmammino/distributed-jwt-cracker
Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.
Licensed under MIT License. © Luciano Mammino.