jwt
LaunchR
· ☕ 4 min read · ✍️ M4t35Z
IDOR discloses userid of other users. SSTI discloses SECRET_KEY which was same as the jwt secret. With this, I changed my userid to admin.