A sample JWT web app that can be use to demonstrate how to escalate permissions by cracking and forging JWT tokens
This is a simple application where you can login as a user with normal privileges (so normal that you can't do anything!) and by hacking the session id (which is a simple JWT) you should try to escalate your privileges to being an admin.
How to run it
- Clone this repo
- Install dependencies (
- Run the server (
- Have fun (on localhost:3000)
The app can be configured through environment variables before running the server.
The configuration variables available are:
USERNAME: the username accepted for login (default
PASSWORD: the password to pass for the login (default
SECRET: the secret used to sign the jwt token (default
To understand better why this project exists and how to take advantage of it you should have a look at the following slides deck:
You should also check (and maybe use)
Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.
Licensed under MIT License. © Luciano Mammino.