← vuln-lab catalog

Weak JWT / alg:none

/api/login issues an HS256 token signed with a guessable secret and never checks the password. /api/me then trusts alg:none tokens without verifying any signature — so an unsigned admin token is accepted.

(no response yet)

Trigger: forge eyJhbGciOiJub25lIn0.eyJyb2xlIjoiYWRtaW4ifQ. then call /api/me — returns admin:true.

Detected by: browser_cdp_jwt_analyze