An attacker reviews a web service that uses multi-part tokens for authentication and plans to alter the signature. Which technique achieves this in a way that appears valid to the server?
Insert an additional claim granting higher privileges without altering the existing signature
Append an extra signature portion to the token to confuse the validation service
Switch the algorithm field to a keyless signing approach and finalize the token so verification is bypassed
Edit the payload to increase the expiration while retaining the original signature
Switching the algorithm to an approach without key verification allows a forged token to be accepted as authentic. Changing expiration times without re-signing does not bypass the signature check. Creating additional segments or introducing extra claims does not defeat the server’s validation if the signature remains mismatched with the header field.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a multi-part token and how does it work in authentication?
Open an interactive chat with Bash
What is keyless signing and why does it bypass verification?
Open an interactive chat with Bash
Why doesn't altering the expiration or adding extra claims bypass signature validation?