Rating:
SQL injection in the kid to bypass the signature.
The website uses JWT for authentication. Using the debugger at jwt.io we see that there is a kid parameter in the header section.
According to the RFC:
The "kid" (key ID) Header Parameter is a hint indicating which key was used to secure the JWS.
In this specific implementation, given the challenge description and some initial tests, the kid value is used in a sql query that retrieves the key from a sqlite database and is vulnerable to injection. Using a simple union injection we can get the application to use any key we want.
Setting the new JWT as the cookie value we are logged in as admin.
