API 03
This exercise is the API version of an exercise you already solved in another badge. You should use it to get more confident with discovering vulnerabilities without any hint on what to look for.
In this challenge, you need to uncover a vulnerability that grants access to a key stored as a secret within the admin's account. By signing up as test@pentesterlab.com and creating a secret, you can explore the application's behavior through network inspection tools. The challenge involves manipulating the JWT token to bypass authentication mechanisms.
The video guide walks you through the process of capturing the network traffic, copying the JWT token, and attempting to manipulate it. When direct IDOR (Insecure Direct Object References) attacks fail, the focus shifts to tampering with the JWT token. By cracking the weak signature of the token using hashcat and the rockyou.txt password list, you can craft a valid token, impersonate the admin user, and retrieve the key for the challenge.