원클릭으로
sc-jwt
JWT implementation flaw detection — algorithm confusion, weak secrets, missing validation, and storage issues
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
JWT implementation flaw detection — algorithm confusion, weak secrets, missing validation, and storage issues
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-jwt |
| description | JWT implementation flaw detection — algorithm confusion, weak secrets, missing validation, and storage issues |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects JWT (JSON Web Token) implementation vulnerabilities including algorithm confusion attacks (alg:none, RS256→HS256), weak signing secrets, missing expiration/audience/issuer validation, insecure client-side storage, JWK injection, and key ID (kid) manipulation.
Called by sc-orchestrator during Phase 2 when JWT usage is detected.
"jwt", "JWT", "jsonwebtoken", "jose", "PyJWT", "java-jwt",
"sign(", "verify(", "decode(", "encode(",
"alg", "HS256", "RS256", "ES256", "none",
"expiresIn", "exp", "iat", "aud", "iss", "sub",
"localStorage.*token", "sessionStorage.*token",
"Bearer", "Authorization"
1. Algorithm Confusion (alg:none):
// VULNERABLE: Not specifying allowed algorithms
const payload = jwt.verify(token, secret); // Accepts alg:none!
// SAFE: Specify algorithms explicitly
const payload = jwt.verify(token, secret, { algorithms: ['HS256'] });
2. Weak Signing Secret:
// VULNERABLE: Short/predictable secret
const token = jwt.sign(payload, 'secret');
const token = jwt.sign(payload, 'password123');
const token = jwt.sign(payload, process.env.JWT_SECRET || 'default');
// SAFE: Strong random secret (256+ bits)
const token = jwt.sign(payload, process.env.JWT_SECRET);
// Where JWT_SECRET is a 64+ character random string
3. Missing Expiration:
# VULNERABLE: No expiration
token = jwt.encode({"user_id": user.id}, SECRET_KEY, algorithm="HS256")
# SAFE: With expiration
token = jwt.encode({
"user_id": user.id,
"exp": datetime.utcnow() + timedelta(hours=1)
}, SECRET_KEY, algorithm="HS256")
4. JWT in localStorage (XSS Theft):
// VULNERABLE: XSS can steal token
localStorage.setItem('token', jwtToken);
// SAFE: HttpOnly cookie
res.cookie('token', jwtToken, {
httpOnly: true,
secure: true,
sameSite: 'strict'
});
5. Missing Audience/Issuer Validation:
// VULNERABLE: No audience/issuer check
const payload = jwt.verify(token, secret, { algorithms: ['HS256'] });
// SAFE: Validate audience and issuer
const payload = jwt.verify(token, secret, {
algorithms: ['HS256'],
audience: 'https://api.example.com',
issuer: 'https://auth.example.com'
});
6. Kid Parameter Injection:
// VULNERABLE: kid used in SQL query or file path
const kid = header.kid;
const key = db.query(`SELECT key FROM keys WHERE id = '${kid}'`); // SQL injection!
// Or: const key = fs.readFileSync(`/keys/${kid}`); // Path traversal!
jwt.decode() for reading payload (without verification) in non-auth contexts