Skill

jwt-attacks

Audits JWT implementations for vulnerabilities like algorithm confusion, none alg bypass, weak secrets, JWK injection, and kid attacks in JS/TS/Python/Go code.

Javascript

Typescript

Python

security

authentication

npx claudepluginhub byamb4/find-cve-agent

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Audit JWT verification/generation libraries, authentication implementations, and any code that validates or creates JSON Web Tokens.

Supporting Assets

references/false-positive-indicators.mdreferences/poc-skeleton.mdreferences/sinks.md

SKILL.md

Similar Skills

testing-for-json-web-token-vulnerabilities

Tests JWT implementations for vulnerabilities including algorithm confusion, none algorithm bypass, kid injection, and weak secret exploitation during auth audits.

asi

testing-for-json-web-token-vulnerabilities

5.9k

Tests JWT for vulnerabilities like none algorithm bypass, algorithm confusion, kid injection, and weak secrets to achieve authentication bypass in web apps and APIs.

3 files

cybersecurity-skills

testing-for-json-web-token-vulnerabilities

Tests JWT implementations for vulnerabilities like algorithm confusion, none algorithm bypass, kid injection, and weak keys to achieve auth bypass and privilege escalation. Useful for auditing JWT in APIs, SSO, and OAuth.

3 files

cybersecurity-skills-zh

Stats

Stars18

Forks2

Last CommitMar 20, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

JWT Attack Detection

When to Use

Audit JWT verification/generation libraries, authentication implementations, and any code that validates or creates JSON Web Tokens.

Attack Types

1. Algorithm Confusion (RS256 to HS256)

The server uses RS256 (asymmetric) but the attacker changes the token header to HS256 (symmetric) and signs with the public key as the HMAC secret.

Conditions: Library accepts algorithm from token header without allowlist validation.

2. alg:none Bypass

Token header specifies "alg": "none", and the library accepts unsigned tokens.

Conditions: Library does not validate algorithm or allows "none".

3. JWK Header Injection

Attacker embeds their own public key in the token header via the jwk parameter, and the library uses it for verification.

4. Weak HMAC Secrets

HMAC secrets that are short, common words, or default values. Can be brute-forced offline.

5. kid (Key ID) Attacks

Path traversal: "kid": "../../dev/null" -- sign with empty key
SQL injection: "kid": "' UNION SELECT 'secret' --" -- inject known key
Command injection: "kid": "|id" -- if kid is passed to shell

6. jku/x5u URL Manipulation

jku (JWK Set URL) or x5u (X.509 URL) in header points to attacker-controlled server hosting a JWK Set with the attacker key.

Process

Step 1: Find JWT Usage

grep -rn "jwt\.verify\|jwt\.decode\|jwt\.sign\|jwt\.encode" .
grep -rn "jsonwebtoken\|jose\|PyJWT\|go-jose\|nimbus-jose" .
grep -rn "JWTVerify\|jwtVerify\|createRemoteJWKSet" .

Step 2: Check Algorithm Validation

grep -rn "algorithms\|algorithm.*=\|alg.*:" . | grep -i jwt

Is the algorithm explicitly specified or taken from the token header?

// VULNERABLE: no algorithm specified
jwt.verify(token, key);

// SAFE: algorithm allowlist
jwt.verify(token, key, { algorithms: ['RS256'] });

Step 3: Check for none Algorithm

grep -rn "none\|None\|NONE" . | grep -i "alg\|algorithm"

Step 4: Check kid Parameter Handling

grep -rn "kid\|keyId\|key_id\|getKey\|keyStore" .

Is the kid value used in file paths, database queries, or command execution?

Step 5: Check Secret Strength

grep -rn "secret\|SECRET\|JWT_SECRET\|TOKEN_SECRET" .

Is the secret hardcoded, from environment variable, or sufficiently random?

CVSS Guidance

Algorithm confusion to forge admin tokens: CRITICAL 9.1
alg:none bypass: CRITICAL 9.1
JWK injection: HIGH 8.1
Weak HMAC secret (brute-forceable): HIGH 7.5
kid path traversal: HIGH 7.5-8.1
kid SQLi: CRITICAL 9.8

References

Sinks -- JWT libraries and vulnerability status
False Positive Indicators
PoC Skeleton