[In this lab](https://portswigger.net/web-security/jwt/lab-jwt-authentication-bypass-via-unverified-signature) the server **never performs that check**, so you can tamper with any claim (for example `sub`) and the token will still be accepted.
##### Quick roadmap
| Step | Action | Outcome |
| ---- | --------------------------------------------------------------------- | ----------------------------------- |
| 1 | Log in as **wiener** | Cookie `session=<jwt>` appears |
| 2 | Decode the payload | See `{"sub":"wiener", …}` |
| 3 | Request `/admin` | Access denied |
| 4 | Replace `sub` with `administrator` **without** touching the signature | Access granted |
| 5 | Hit `/admin/delete?username=carlos` | User **carlos** deleted; lab solved |
---
##### Detailed walkthrough
#### Capture your baseline token
1. **Start the lab** and log in with **wiener\:peter**.
2. In **Proxy → HTTP history** locate `GET /my-account`.
3. Note the cookie: `session=<long-jwt>`
4. Double-click the token → Burp’s **Inspector** shows the decoded JSON.
#### Prove signature verification is missing
1. Send the request to **Repeater**.
2. Change the path to `/admin`; click **Send** → expect 302/403.
3. In the **PAYLOAD** section overwrite `"sub":"wiener"` with `"sub":"administrator"`.
*Leave the SIGNATURE untouched.*
4. Click **Apply changes** → Inspector re-encodes the payload but keeps the old sig.
5. **Send** again → **200 OK** and the admin panel appears!
![[CleanShot 2025-07-19 at
[email protected]]]
#### Finish the objective
1. In the `/admin` HTML locate:
```html
<a href="/admin/delete?username=carlos">Delete</a>
```
2. Click it (or copy to Repeater) → **200 OK**, message “User deleted”.
3. The lab banner turns green: **Solved**.
---
#### Why does this work?
| JWT security requirement | Reality in this lab |
| ----------------------------------------------------- | ------------------- |
| Server **re-signs** header+payload with secret | ❌ Skipped |
| Server **compares** computed MAC to token’s SIGNATURE | ❌ Skipped |
| On mismatch → **reject** | ❌ Always accepts |
Result: any client can:
* Elevate privileges by changing `sub` or `role`
* Extend session lifetime by editing `exp`
* Inject arbitrary claims