OWASP Waterloo - An Invalid JWT Test Case

Welcome to OWASP Waterloo

We are excited to meet everyone for our first OWASP waterloo meetup of 2023; we will begin with an introduction, a presentation, and a discussion.

Topic: An invalid JWT test case.

Summary: While testing for JWT tokens-related vulnerability, Ashutosh stumbled upon a strange behavior that pushed him to dive deeper and understand how it was happening. The ideal established flow says that if we changed even a single character in our JWT, the request should not pass through, which it doesn't. But it passes through if the change is done at a specific position in the token.

Conceptually it appears to be a valid test case because it's a tampering of the token. But the catch is it's not valid test case, and this talk is about that why this is not a valid test case.

Where: https://us06web.zoom.us/j/87352968700?pwd=YmE0cWdhQWNxNmo4cEZrbHpidmlhdz09