creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 07:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills

Browse Source 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
This commit is contained in:
mukul975
2026-04-06 11:17:31 +02:00
parent e8105a2f4d
commit efca3ec611
754 changed files with 12847 additions and 2832 deletions
Download Patch File Download Diff File Expand all files Collapse all files
skills/exploiting-jwt-algorithm-confusion-attack/SKILL.md
+18 -9
View File
@@ -1,19 +1,28 @@
---
name: exploiting-jwt-algorithm-confusion-attack
description: >
Exploits JWT algorithm confusion vulnerabilities where the server's token verification
library accepts the algorithm specified in the JWT header rather than enforcing a fixed
algorithm. The tester manipulates the alg header to switch from RS256 to HS256 (using
the RSA public key as the HMAC secret), sets alg to none to bypass signature verification,
or exploits kid/jku/x5u header injection to supply attacker-controlled keys. Activates
for requests involving JWT algorithm confusion, alg none attack, key confusion attack,
or JWT signature bypass.
description: 'Exploits JWT algorithm confusion vulnerabilities where the server''s token verification library accepts the
algorithm specified in the JWT header rather than enforcing a fixed algorithm. The tester manipulates the alg header to
switch from RS256 to HS256 (using the RSA public key as the HMAC secret), sets alg to none to bypass signature verification,
or exploits kid/jku/x5u header injection to supply attacker-controlled keys. Activates for requests involving JWT algorithm
confusion, alg none attack, key confusion attack, or JWT signature bypass.
'
domain: cybersecurity
subdomain: api-security
tags: [api-security, jwt, algorithm-confusion, token-forgery, cryptographic-attack]
tags:
- api-security
- jwt
- algorithm-confusion
- token-forgery
- cryptographic-attack
version: 1.0.0
author: mahipal
license: Apache-2.0
nist_csf:
- PR.PS-01
- ID.RA-01
- PR.DS-10
- DE.CM-01
---
# Exploiting JWT Algorithm Confusion Attack