CTF Writeup: JWT 'alg:none' Flaw Exploited to Gain Admin Access in NexaVault
A Capture The Flag (CTF) challenge called 'The Vault Door' featured NexaVault, a mock web app that restricted an Admin Vault panel using role claims stored in a JWT cookie. The app failed to enforce a fixed signing algorithm server-side, instead trusting the 'alg' field supplied within the attacker-controlled token header. By forging a new JWT with the algorithm set to 'none' and the role changed to 'admin', a participant bypassed authentication without needing the server's secret key. The server accepted the unsigned token and granted full admin access, revealing the CTF flag. This exploit illustrates the classic CWE-347 JWT algorithm confusion vulnerability, where developers must hardcode the expected algorithm rather than deriving it from the token itself.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in