00 — Overview

FirstBank — Session Token

FirstBank signs JWTs with a weak secret. Crack it with hashcat, forge a token with role: admin, and access accounts that aren't yours.

Intermediate·35 min·3 tasks

// By the end of this module

→Forge JWT tokens to impersonate bank staff

→Exploit algorithm confusion to sign tokens without the private key

→Escalate from customer to admin role via JWT claim manipulation

// Prerequisites

Authentication · Intermediate

40 min

Brute Force · Beginner

30 min