The TryFlufMe (TFM) team called me in. Something wasnβt right.
Their internal admin portal had been behaving strangely β a normal user suddenly pulling admin-level tricks.
Logs were messy. Security Analysts were stuck. They needed an Application Forensics Specialist (thatβs me). My mission: unravel the mystery of the stolen sessions and forged tokens before things spiraled further.
Time to dig in.
Before I dived into the crime scene, I needed to recap my knowledge about sessions and JWTs.
Sessions are like the keys to a hotel room β the server holds the room number, while you only carry the keycard (session ID). JWTs, on the other hand, are more like boarding passes β they hold all the info inside them, no central database needed.
But that flexibility comes at a price: if the boarding pass (JWT) is forged or tampered with, boom β instant access.
- What security mechanism do you have to implement when introducing JWT?
πrevocation - What is the attack called when an attacker steals your session ID?
πsession hijacking
I cracked open the logs. Sessions and JWTs appeared everywhere.
- Session cookies: stored safely with
HttpOnly; Secure. - JWT tokens: base64 blobs floating in
Authorizationheaders and browser storage.
I decoded one:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Payloads revealed usernames, roles, and expiry times. Some tokens were legit. Some⦠felt off.
- Where would you find logs useful for investigating privilege escalation?
πapplication logs - Where would you find logs useful for mapping user-agent and IP addresses?
πweb server logs - Which logs would you check if a JWT token has been forged?
πIdentity Provider logs
The files landed on my desk:
webserver.logβ showed browsing with a legit token, then suddenly switching to a forged one.app.logβ screamed about a role mismatch (user suddenly became admin).idp.logβ clean. IdP had never issued admin tokens.browser_dump.txtβ ah, jackpot. A malicious JWT lurked in localStorage.
I decoded the malicious token. Something strange⦠its algorithm was none. Classic JWT forgery trick.
The perpetrator? A familiar name: FluffyCat π±.
At first, just a harmless user. But with a tampered JWT, FluffyCat clawed their way into the admin portal.
- What user-agent can be seen in the logs?
πMozilla/5.0 - Based on the logs, what kind of tokens are we dealing with?
πJWT - What is the IdP server that issued the tokens?
πauth.catportal.internal - Which user has requested the tokens?
πFluffyCat - Which role change triggered the warning?
πadmin - What was the malicious token used?
π
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VybmFtZSI6IkZsdWZmeUNhdCIsInJvbGUiOiJhZG1pbiIsImlhdCI6MTcyMTQzMTgwMCwiZXhwIjoxNzIxNDM1NDAwfQ
- What algorithm did the malicious token use?
πnone - What was the previous legitimate token?
π
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6IkZsdWZmeUNhdCIsInJvbGUiOiJ1c2VyIiwiZXhwIjoxNzIxNDM1NDAwfQ.WMKctz1p5KLwNP_C7XXcWbP8uEpbwSeEY_hU_dhG6Rk
- What algorithm did the legitimate token use?
πHS256
I briefed SecOps:
- Immediate containment β Revoke all FluffyCat sessions, rotate credentials, invalidate tokens.
- Audit β comb through logs for any more forged tokens.
- Temporary lockdown β restrict admin portal until trust is restored.
Then, to prevent history repeating:
- Strong Signature Validation β reject
alg: noneand enforce proper signature checks. - Issuer Validation β tokens must match
auth.catportal.internal. - Secure Storage β no more tokens in localStorage; switch to
HttpOnlycookies. - Token Verification & Reuse Detection β cross-check claims, expiration, and issuer at every step.
- What can you add to ensure a JWT token is not tampered with?
πtoken verification
The case closed with one clear lesson: logs never lie.
By stitching together web, app, IdP, and browser evidence, I uncovered FluffyCatβs climb from an ordinary user to a rogue admin.
The weakness? A JWT validation flaw.
The fix? Strict signature enforcement and smarter token handling.
Another day, another cat burglar caught. πΎ
Room Completed: β
100%
Difficulty: Medium
Time Taken: ~60 min
π₯ Top 3 Tags:
#JWT #SessionHijacking #Forensics