EASY
Web Security / JWT
🏆 100 pts
Challenge #13: Token of Trust
jwt web base64 authentication tokens
📋 Mission Brief
A JWT token was intercepted from a web application during a security audit. Web tokens often carry more information than developers intend. Your job is to decode it and find what was hidden inside.
🎯 The Challenge
A JWT (JSON Web Token) was intercepted from an Authorization header in HTTP traffic. The application transmits this token with every authenticated request.
JWT tokens have three parts separated by dots:
Each part is Base64URL encoded. Base64URL is like regular Base64 but:
–
–
–
Step 1: Decode the token — paste it at jwt.io or decode manually
Step 2: Read ALL fields in the payload carefully
Step 3: One field contains an encoded value — decode it to reveal the flag
JWT tokens have three parts separated by dots:
header.payload.signatureEach part is Base64URL encoded. Base64URL is like regular Base64 but:
–
+ becomes -–
/ becomes _–
= padding may be omittedStep 1: Decode the token — paste it at jwt.io or decode manually
Step 2: Read ALL fields in the payload carefully
Step 3: One field contains an encoded value — decode it to reveal the flag
⬇ DOWNLOAD CHALLENGE FILE
ch13_jwt_forensics.zip
🚩 Submit Flag
Flag format: PlainlySec{...}