Attacking Authentication Mechanisms Skills Assessment

Guys, did you finished the Attacking Authentication Mechanisms module? I got stuck in the skills assessment, any hint?

I finished recently. my advice is to not overthink. Interact with the page and pay attention with the its response.

Thank you @j0rg3k, I will try play with it

hi bro, still unable to figure it out, any hint for me? i’am getting crazy here

@j0rg3k - I’ve got the token and been able to modify it but I’m not sure where to send it.

I’ve tried to /, /login, and /register and none of those seem to work. I’ve also run gobuster against the target looking for other paths and I haven’t been able to find anything else that’s live.

remember which page asked you the token. you have everything you need. don’t overthink.

@j0rg3k I appreciate the hints but I’m still unable to make any progress.

-I send the required info to /register.
-Login in with the required info at /login and copy the token.
-Use jwt.io to modify isAdmin field to true.

If I send the token to /login or /register, it’s asking for the required info. If I send the info plus the token, it returns yet another token. If I send the token to / it comes back with 404 page not found.

I’m not sure where else I can send the token to. Any other hints would be really helpful.

Thanks

You are on the right track. Remember to validate your jwt token after tampering it. Use the validated token on the page that requested authentication.

@j0rg3k thank you. I’ve made some progress I found the vulnerability and have been able to find the key but I’m still unsure where to send it.

Sending to /login still asks for email/password and sending to / says 404 page not found. You say send it to the page that requested authentication. Is there another page other than /, /login, and /register??

Thank you,

no, those are the three pages