JWT basics for labs
Three base64 parts. Signature validates integrity. If secret is 'secret123', hashcat cracks it. If server accepts alg:none or HS256 with public key as secret — game over.
Common lab scenarios
Change role claim from user to admin. Swap algorithm. Brute-force weak signing key. Kid header injection.
Tools
jwt.io for decoding, hashcat/john for cracking, Burp JWT Editor extension.