Stats
Actions
Tags
From find-cve-agent
Audits JWT implementations for vulnerabilities like algorithm confusion, none alg bypass, weak secrets, JWK injection, and kid attacks in JS/TS/Python/Go code.
How this skill is triggered — by the user, by Claude, or both
Slash command
/find-cve-agent:jwt-attacksThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Audit JWT verification/generation libraries, authentication implementations, and any code that validates or creates JSON Web Tokens.
Audit JWT verification/generation libraries, authentication implementations, and any code that validates or creates JSON Web Tokens.
The server uses RS256 (asymmetric) but the attacker changes the token header to HS256 (symmetric) and signs with the public key as the HMAC secret.
Conditions: Library accepts algorithm from token header without allowlist validation.
Token header specifies "alg": "none", and the library accepts unsigned tokens.
Conditions: Library does not validate algorithm or allows "none".
Attacker embeds their own public key in the token header via the jwk parameter, and the library uses it for verification.
HMAC secrets that are short, common words, or default values. Can be brute-forced offline.
"kid": "../../dev/null" -- sign with empty key"kid": "' UNION SELECT 'secret' --" -- inject known key"kid": "|id" -- if kid is passed to shelljku (JWK Set URL) or x5u (X.509 URL) in header points to attacker-controlled server hosting a JWK Set with the attacker key.
grep -rn "jwt\.verify\|jwt\.decode\|jwt\.sign\|jwt\.encode" .
grep -rn "jsonwebtoken\|jose\|PyJWT\|go-jose\|nimbus-jose" .
grep -rn "JWTVerify\|jwtVerify\|createRemoteJWKSet" .
grep -rn "algorithms\|algorithm.*=\|alg.*:" . | grep -i jwt
Is the algorithm explicitly specified or taken from the token header?
// VULNERABLE: no algorithm specified
jwt.verify(token, key);
// SAFE: algorithm allowlist
jwt.verify(token, key, { algorithms: ['RS256'] });
grep -rn "none\|None\|NONE" . | grep -i "alg\|algorithm"
grep -rn "kid\|keyId\|key_id\|getKey\|keyStore" .
Is the kid value used in file paths, database queries, or command execution?
grep -rn "secret\|SECRET\|JWT_SECRET\|TOKEN_SECRET" .
Is the secret hardcoded, from environment variable, or sufficiently random?
npx claudepluginhub byamb4/find-cve-agentTests JWT implementations for vulnerabilities including algorithm confusion, none algorithm bypass, kid injection, and weak secret exploitation during auth audits.
Tests JWT implementations for vulnerabilities like algorithm confusion, none algorithm bypass, kid injection, and weak keys to achieve auth bypass and privilege escalation. Useful for auditing JWT in APIs, SSO, and OAuth.
Tests JWT algorithm confusion vulnerabilities by downgrading RS256 to HS256, bypassing signature with alg none, or injecting attacker-controlled keys via kid/jku/x5u headers.