So the next step for this is where do we go from here, to modify the code to fix this problem? Now, the JWT code is a little bit complex and it does build on a bunch of different things that the OWASP engineers or the person behind this lesson chose to do. So I'm going to walk you quickly through some of the code before you get started and then I'll give you a chance to modify the code. So every time we are switching users, on Page 4, when you're switching users, it's actually calling this method and it's building a user for you by default so it's putting admin false for all of them and when you go to test your code, I recommend maybe taking one of the users and we know Tom, Jerry, and Sylvester are the three users. I recommend putting an if statement in here to maybe make one of them admin by default so that you can test your code without having to actually hack it and so that the actual claim that's put there is properly signed with a signature that they had in here, so the way I would do this is, I would put a simple if statement if user. and I don't remember if it comes in as lowercase or uppercase, I'm just going to take the user and make it lowercase and test to see if it has Tom in it for instance. So on the else, we're going to keep it as false but if it is Tom we're going to make him admin. So just know that it should work on Tom but it should not work on all the other users. When you go to do that through the repeater to do the attack, don't use Tom because Tom is obviously an admin so you don't even need to modify any of the tokens that are being set. So that's Part 1. The reset which is what gets called when you hit that trashcan icon is at the end of the page, JWT votes endpoint.Java, and something in this method is wrong, and it's not properly validating the tokens as they're coming across. So you can take a look at that and I'll just give a small hint here, the parse method is supposed to send a signature exception. However, if you look here, the documentation for it reads parses as s specific compact serial JWT string based on the builders current configuration state and returns a JWT or JWS instance. This method returns a JW based on what it takes in. If you actually look at the signature exception, the documentation for it's says, "If the JWS signature was discovered." Meaning that if the signature is not a JWS signature, it's just a regular JWT, it's not going to check the signature for it. So that's the implementation of the parse. So that's a little bit trick to get you started. There's a lot of ways you can go about this. So I will have a hint video, just so that you don't have to re-engineer everything. In fact, the JWT class is something that was written specific for this project, so it doesn't have some of the facilities like verify token that you'll find in some of the recommendation pieces. If we go to search for JWT OWASP cheat sheet, there are some hints about how to go about doing this. If you actually look the attack that we just did was the none hashing algorithm, and JWT verifier is a way of going about this. Now, I'll give another hint on another video, if you want to try this without the hints and see if you can get the token to be verified.