A sample JWT web app that can be use to demonstrate how to escalate permissions by cracking and forging JWT tokens
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src
.eslintrc
.gitignore
LICENSE
README.md
package-lock.json
package.json

README.md

sample-jwt-webapp

JavaScript Style Guide

A sample JWT web app that can be use to demonstrate how to escalate permissions by cracking and forging JWT tokens

Idea

This is a simple application where you can login as a user with normal privileges (so normal that you can't do anything!) and by hacking the session id (which is a simple JWT) you should try to escalate your privileges to being an admin.

How to run it

  1. Clone this repo
  2. Install dependencies (npm install)
  3. Run the server (npm start)
  4. Have fun (on localhost:3000)

Configuration

The app can be configured through environment variables before running the server.

The configuration variables available are:

  • USERNAME: the username accepted for login (default luciano)
  • PASSWORD: the password to pass for the login (default mariobros)
  • SECRET: the secret used to sign the jwt token (default secret)

Hint

To understand better why this project exists and how to take advantage of it you should have a look at the following slides deck:

You should also check (and maybe use) lmammino/distributed-jwt-cracker

Contributing

Everyone is very welcome to contribute to this project. You can contribute just by submitting bugs or suggesting improvements by opening an issue on GitHub.

License

Licensed under MIT License. © Luciano Mammino.