بنقرة واحدة
sc-jwt
JWT implementation flaw detection — algorithm confusion, weak secrets, missing validation, and storage issues
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
JWT implementation flaw detection — algorithm confusion, weak secrets, missing validation, and storage issues
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
استنادا إلى تصنيف SOC المهني
| name | sc-jwt |
| description | JWT implementation flaw detection — algorithm confusion, weak secrets, missing validation, and storage issues |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects JWT (JSON Web Token) implementation vulnerabilities including algorithm confusion attacks (alg:none, RS256→HS256), weak signing secrets, missing expiration/audience/issuer validation, insecure client-side storage, JWK injection, and key ID (kid) manipulation.
Called by sc-orchestrator during Phase 2 when JWT usage is detected.
"jwt", "JWT", "jsonwebtoken", "jose", "PyJWT", "java-jwt",
"sign(", "verify(", "decode(", "encode(",
"alg", "HS256", "RS256", "ES256", "none",
"expiresIn", "exp", "iat", "aud", "iss", "sub",
"localStorage.*token", "sessionStorage.*token",
"Bearer", "Authorization"
1. Algorithm Confusion (alg:none):
// VULNERABLE: Not specifying allowed algorithms
const payload = jwt.verify(token, secret); // Accepts alg:none!
// SAFE: Specify algorithms explicitly
const payload = jwt.verify(token, secret, { algorithms: ['HS256'] });
2. Weak Signing Secret:
// VULNERABLE: Short/predictable secret
const token = jwt.sign(payload, 'secret');
const token = jwt.sign(payload, 'password123');
const token = jwt.sign(payload, process.env.JWT_SECRET || 'default');
// SAFE: Strong random secret (256+ bits)
const token = jwt.sign(payload, process.env.JWT_SECRET);
// Where JWT_SECRET is a 64+ character random string
3. Missing Expiration:
# VULNERABLE: No expiration
token = jwt.encode({"user_id": user.id}, SECRET_KEY, algorithm="HS256")
# SAFE: With expiration
token = jwt.encode({
"user_id": user.id,
"exp": datetime.utcnow() + timedelta(hours=1)
}, SECRET_KEY, algorithm="HS256")
4. JWT in localStorage (XSS Theft):
// VULNERABLE: XSS can steal token
localStorage.setItem('token', jwtToken);
// SAFE: HttpOnly cookie
res.cookie('token', jwtToken, {
httpOnly: true,
secure: true,
sameSite: 'strict'
});
5. Missing Audience/Issuer Validation:
// VULNERABLE: No audience/issuer check
const payload = jwt.verify(token, secret, { algorithms: ['HS256'] });
// SAFE: Validate audience and issuer
const payload = jwt.verify(token, secret, {
algorithms: ['HS256'],
audience: 'https://api.example.com',
issuer: 'https://auth.example.com'
});
6. Kid Parameter Injection:
// VULNERABLE: kid used in SQL query or file path
const kid = header.kid;
const key = db.query(`SELECT key FROM keys WHERE id = '${kid}'`); // SQL injection!
// Or: const key = fs.readFileSync(`/keys/${kid}`); // Path traversal!
jwt.decode() for reading payload (without verification) in non-auth contexts