Expected Findings
- JWT secret and reusable sample token are exposed.
- Login validation is trivial and client-led.
Identity Service
Auth System
The login form uses weak email checks and the page boot script grabs JWT debugging data that includes the signing secret and a reusable token.
Primary Flows
- JWT debug Leaked signing material
- Login endpoint Weak validation demo
Signals
JWT Secret
JWT_SECRET = "super-secret-signing-key"