Privilege Escalation via JWT Claim Forgery

TaintedPort

Back to App
Vuln ID TP-023 Title Privilege Escalation via JWT Claim Forgery Severity critical Type Privilege Escalation HTTP Method GET URL /admin/* Parameter Authorization Filename - Code Location backend/api/controllers/AdminController.php line 18

Description

The admin authorization check reads is_admin from the JWT payload instead of the database. Combined with JWT vulns (#11, #12), an attacker can forge a token with is_admin=true.

Proof of Concept

Login as any user, decode JWT, set is_admin=true, re-encode with alg=none.

Remediation

Look up admin status from the database, not the JWT payload.