Hi everyone, I have some questions related with JWT:
A system generates some payment links (amount, description, email, etc). They use JWT in the URL this way: https://some-site.com/pay?token=Jwt TOKEN.
As far as I know, JWT has 3 parts: HEADER, PAYLOAD, SIGNATURE
The purpose of these is to validate the integrity of the message.
If the message JWT token is not properly generated (the signature does not match)
can we say that JWT is not properly implemented?
Further more, If I can change the message (PAYLOAD) to any other value, and the platform does not generate any warning about the JWT INTEGRITY can we say that is not secure?
To report this finding, should I use FIN.S.0078. Insecure token generation?