JWT (not) revoked token

RootMe challege: JWT - Revoked token:

Two endpoints are available :

POST : /web-serveur/ch63/login
GET : /web-serveur/ch63/admin

Gain access to the admin endpoint.

---

Developer blacklists full JWT or hash of the JWT, instead of revoking the JTI (JWT id).

Change request method to POST:

Get token for admin:admin:

Use the token to get the flag (add an = at the end of it).

Resources

• JWT techniques (these writeups)