I found an interesting website with a JWT bypass vulnerability. It uses a simple secret key that can be discovered using brute force, which I did. However, I couldn’t exploit the vulnerability because simply changing the id results in the site returning a “Login invalid” error. After some experimentation, I noticed that if you change even one digit in the iat (issued at), nbf (not before), or exp (expiration) fields, even a valid token becomes invalid, and the “Login invalid” error appears immediately. What can be done about this?
JWT request