Weak Public/Private Keys

Hey there!
I stuck for a few days on Weak Public/Private Keys section of the Attacking Authentication Mechanisms module :neutral_face: , still can’t receive the JWT from the response.

I have:
imported pub.crt and private.pem;
changed logged in username value to hackme;
assertions successfully signed

however my request still attempting to redirect me back to the root web directory.

Can someone tell me what have I missed ?

1 Like

Same here

I had the same problem spent like 3-4 hours trying to figure it out. What worked for me was opening a private window and authenticating to the identity provider and trying the exploit immediately after.

Whenever i authenticated to the identity provider and then logged out and then logged back in automatically and then tried running the exploit it didnt work for me.

So try opening a private window so the idp won’t automatically remember you and log you in and try running the exploit after freshly authenticating to the idp.