Authentication
SAML basically used for providing SSO(single sign on).
Ex: Say there is a service named [identity.hacker.com](http://identity.hacker.com) which will authenticate you and then based on that single authentication you'll be able to access player.superhacker.com.
This image is taken from pentesterlabs.com and according to them
The trust-relationship works because the Service Provider trusts the Identity Provider. This trust relationship is initially created by providing the certificate (that contains the public key) of the Identity Provider to the Service Provider. If a SAMLResponse is signed with the private key matching the public key in the certificate, the Service Provider will trust the assertion.- IDP can return the response in a base64 encoded XML type looking document, which will contain everything in it like keys used(not the private one), nameID etc
So json web token is used for authentication loads of time. It's better to try loads of things with it.
- Sometime they can forget to even actually check the signature so test that as well
- We can bruteforce the secret but I think that is just for CTF and stuff. It won't work in real life since mostly JWT used have RSA used
Decode the token and set the encryption/alg to Null it might be possible that could work.
Say that the alg used is RS256 but it is possible that we can modify the headers to used HS256
and then edit the payload as we like. And then for the signature part we encode that using HMAC trick.
PROBLEM - A person would need the public key using which the signature is being verified.