[In this lab](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature) the server **never performs that check**, so you can tamper with any claim (for example `sub`) and the token will still be accepted. ##### Quick roadmap | Step | Action | Outcome | | ---- | --------------------------------------------------------------------- | ----------------------------------- | | 1 | Log in as **wiener** | Cookie `session=<jwt>` appears | | 2 | Decode the payload | See `{"sub":"wiener", …}` | | 3 | Request `/admin` | Access denied | | 4 | Replace `sub` with `administrator` **without** touching the signature | Access granted | | 5 | Hit `/admin/delete?username=carlos` | User **carlos** deleted; lab solved | --- ##### Detailed walkthrough #### Capture your baseline token 1. **Start the lab** and log in with **wiener\:peter**. 2. In **Proxy → HTTP history** locate `GET /my-account`. 3. Note the cookie: `session=<long-jwt>` 4. Double-click the token → Burp’s **Inspector** shows the decoded JSON. #### Prove signature verification is missing 1. Send the request to **Repeater**. 2. Change the path to `/admin`; click **Send** → expect 302/403. 3. In the **PAYLOAD** section overwrite `"sub":"wiener"` with `"sub":"administrator"`. *Leave the SIGNATURE untouched.* 4. Click **Apply changes** → Inspector re-encodes the payload but keeps the old sig. 5. **Send** again → **200 OK** and the admin panel appears! ![[CleanShot 2025-07-19 at [email protected]]] #### Finish the objective 1. In the `/admin` HTML locate: ```html <a href="/admin/delete?username=carlos">Delete</a> ``` 2. Click it (or copy to Repeater) → **200 OK**, message “User deleted”. 3. The lab banner turns green: **Solved**. --- #### Why does this work? | JWT security requirement | Reality in this lab | | ----------------------------------------------------- | ------------------- | | Server **re-signs** header+payload with secret | ❌ Skipped | | Server **compares** computed MAC to token’s SIGNATURE | ❌ Skipped | | On mismatch → **reject** | ❌ Always accepts | Result: any client can: * Elevate privileges by changing `sub` or `role` * Extend session lifetime by editing `exp` * Inject arbitrary claims