u/accountant856

Hi everyone,

I’m currently working through the JWT Security room on TryHackMe, specifically the Signature Validation Mistakes section, and I’ve run into something confusing.

When I modify the JWT and send different requests (changing the signature as expected), I still keep getting the same flag every time, regardless of what I change.

I was expecting different behavior depending on whether the signature is valid or not, so I’m wondering if:

- the room might be broken, or

- I’m misunderstanding how this part is supposed to work

Has anyone else experienced this? Any hints on what I might be missing would be really helpful.

Thanks!