Token Tomb
Token Tomb is a payments operations console with token-based authentication, refund management, and automated settlement workflows.
The Scenario
TokenTomb is an operations console used by a payments startup to manage refunds, disputes, and automated settlement jobs.
Following a routine credential rotation, the team noticed "impossible" activity in their audit logs--actions that don't match the roles of the users who performed them. They suspect token handling and session logic may be at fault. Your objective is to investigate the console as an external attacker and determine whether privileged actions or protected resources can be reached through auth and session edge cases.
Lab Intel
Synopsis
TokenTomb have enlisted your services to investigate suspicious activity in their payments operations console. Audit logs show privileged actions performed by users who shouldn't have those permissions, and the team suspects their token handling is flawed.
Architecture
An easy-rated single-service lab running a FastAPI payments console with JWT-based authentication and SQLite storage. It centres on a classic JWT 'none' algorithm vulnerability -- you'll decode, forge, and escalate your way from a regular user to admin without ever needing the signing key.
Who It's For
Beginners who understand HTTP cookies and have heard of JWTs but haven't exploited them yet. You should be comfortable using browser dev tools or a proxy to inspect and modify cookies.
Skills You'll Practice
- HTTP cookie inspection and modification
- Basic understanding of JWT structure (header.payload.signature)
- Using a proxy or browser dev tools to replay requests
What You'll Gain
- JWT 'none' algorithm exploitation
- JWT claim manipulation
- Privilege escalation via token forgery
- Non-httpOnly cookie abuse