Tags: cache-poisoning web request-smuggling jwks-spoofing jwt
Rating: 1.0
**Detailed Writeup:**
[https://fireshellsecurity.team/sekaictf-frog-waf-and-chunky/#challenge-chunky-16-solves](https://fireshellsecurity.team/sekaictf-frog-waf-and-chunky/#challenge-chunky-16-solves)
**TLDR**
* Request Smuggling from Cache to nginx (CLTE)
* Cache Poisoning to JWKS Spoofing
* Attacker public-key in a post cached as JWKS public URL
* Sign Authorization token with attacker private-key to get flag
