A web application issues JWT tokens for authentication. The developer trusted the algorithm field in the token header. Can you forge a valid admin token?
100 pts
WebMedium
Blind SQLi
The login form does not display error messages, making classic SQL injection harder. Extract the admin password character by character using time-based blind injection.
250 pts
WebMedium
XSS Meets CSP
The application has a Content Security Policy, but the developer made a mistake. Bypass the CSP and steal the admin session cookie via XSS.
300 pts
WebHard
SSRF to Internal Cloud
A document converter accepts URLs. The internal network hosts an AWS metadata endpoint at 169.254.169.254. Pivot through SSRF to steal IAM credentials.