ikr, he's always the victim 💀

Hey, you can ask about this in our discord, either publicly or using a support ticket: discord.gg/intigriti-870275171938873395 The first thing I'd say is to carefully check the scope, e.g. leaked credentials/info of staff found on the dark web or data dumps is typically not in scope for bug bounty, see: kb.intigriti.com/en/articles/8128339-reporting-leaked-secrets-credentials

@intigriti oh it wasn't from the deep Web.. it was some staff emails sat on a random endpoint with their user ids too.. also when one is tried on the site it re directs to their company login ..does that make sense? Do you think it's worth filing a report for?

Sure! When the algorithm is using asymmetric key (RSA), the server signs the JWT using a private key, then the related public key (it's a public-private keypair) will be used to verify the signature. When the algorithm is symmetric (HS256) there's only one key, which is used to both sign and verify. If we can trick the server into using HS256 alg instead of RS256 and sign the token with the public key (assuming we can find it), the server will use that same public key to verify, allowing us to forge tokens! Hope that helps 🙂

@@intigriti thank you so much; happy to get your attention ;

It's been a while since I made this video so I miss the reference, can you timestamp the video / explain? edit: n/m I realised you are talking about the Portswigger material 😅 The reason it says "don't worry too much about what this means" is because the underlying technical details aren't relevant to the lab and if we deep-dived on related every tool/principle, every lab would take hours and go way off course. Instead it's best to focus on the goal at hand, if people want to learn more about the underlying tech, that's great! Just take a break from the lab and go and do some background research 😉