Is this skill suitable for proactive security audits?

Absolutely. Developers can use this skill to verify their JWT implementation against common attack vectors before deploying to production.

Does it cover token revocation and lifetime testing?

Yes, it includes test cases to verify if tokens are properly invalidated after logout, password changes, or after their 'exp' (expiration) claim has passed.

Can this skill help with algorithm confusion attacks?

Yes, it includes specific technical workflows to test if a server incorrectly accepts HS256-signed tokens using an RSA public key originally intended for RS256 signatures.

What is the JWT security testing skill for?

It provides a standardized methodology for security researchers and developers to identify vulnerabilities in JSON Web Token implementations, such as weak signing secrets and improper algorithm validation.

Which tools are required for these JWT tests?

The skill utilizes industry-standard tools including jwt_tool, Burp Suite, Hashcat, John the Ripper, and the Python PyJWT library for custom exploitation.

JWT Security & Pentesting

Name: JWT Security & Pentesting
Author: micsapp

bymicsapp

0•

セキュリティとテスト

Conducts comprehensive security assessments of JSON Web Token implementations to identify cryptographic weaknesses and authorization bypasses.

This skill empowers security professionals and developers to systematically audit JWT-based authentication and authorization systems. It provides detailed, step-by-step workflows for executing sophisticated attacks including algorithm confusion, HMAC secret brute-forcing, and header injection vulnerabilities like JKU or KID manipulation. By guiding users through decoding structures, manipulating claims, and verifying revocation policies, this skill ensures that web applications and APIs maintain robust defense against token-based authentication threats.

主な機能

010 GitHub stars

02Automated workflows for Algorithm None and RS256-to-HS256 confusion attacks

03Integration steps for jwt_tool, Burp Suite, and Python-based custom scripts

04Validation procedures for token expiration and server-side revocation

05Brute-force guidance for HMAC secrets using Hashcat and John the Ripper

06Header injection testing for JKU, x5u, and KID parameters

ユースケース

01Auditing OAuth 2.0 and OpenID Connect flows for improper JWT validation

02Security auditing of microservice architectures that rely on JWT for inter-service auth

03Performing authorized penetration tests on web applications and APIs using Bearer tokens

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills testing-jwt-token-security

For use in Claude.ai and ChatGPT

主な機能

010 GitHub stars

02Automated workflows for Algorithm None and RS256-to-HS256 confusion attacks

03Integration steps for jwt_tool, Burp Suite, and Python-based custom scripts

04Validation procedures for token expiration and server-side revocation

05Brute-force guidance for HMAC secrets using Hashcat and John the Ripper

06Header injection testing for JKU, x5u, and KID parameters

ユースケース

01Auditing OAuth 2.0 and OpenID Connect flows for improper JWT validation

02Security auditing of microservice architectures that rely on JWT for inter-service auth

03Performing authorized penetration tests on web applications and APIs using Bearer tokens

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills testing-jwt-token-security

For use in Claude.ai and ChatGPT