Attacking JWT using X509 Certificates

This report demonstrates a practical attack on JWS header handling where servers that accept x5c/x5u header values for signature verification can be tricked into validating attacker-supplied certificates. The author provides a vulnerable Flask API, an OpenSSL-based key/certificate generation walkthrough, and a Burp Suite extension to modify claims and re-sign tokens (via embedded x5c or remote x5u), allowing unauthorized privilege escalation or user impersonation if servers trust supplied certificates.