Rating: 5.0
## Jason Web Tarrot
> After pulling a card, we can see under developer tools that the cookie `token` has a value `eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc1N1YnNjcmliZXIiOmZhbHNlLCJpYXQiOjE2NTQzMDA1NzR9.` The format of this string which starts with `ey` and separated with `.` is an indicator that it is a [JSON Web Token](https://en.wikipedia.org/wiki/JSON_Web_Token)
> A JWT token is divided into 3 components: `Header`, `Payload` and `Signature`, encoded in base64.
[Read more here](https://research.securitum.com/jwt-json-web-token-security/)
> We can use [jwt.io](https://jwt.io/) to decode the token
> We can see under `Header` that `"alg": "none"` meaning that there is no algorithm, which is indeed the case because the JWT token is missing the last component as seen by the empty string after the 2nd period `.`
> Also to note is that under `Payload`, `"isSubscriber"` is set to `false`. We have to change this to `true` in order to get our flag. We can use CyberChef for this, making sure we set our signing algorithm to None.
> Edit the cookie value of `token` to the new JWT token `eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJpc1N1YnNjcmliZXIiOnRydWUsImlhdCI6MTY1NDMwMDU3NH0.` and pull the card once more to get the flag.
`bcactf{n0_s3cr3t5????!!!?!_38893}`
