creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
15d53bd09bf521539bbe45d56e9cf5a0d37217be
Anthropic-Cybersecurity-Skills/skills/testing-api-authentication-weaknesses/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

58 lines
1.8 KiB
Markdown
Raw Blame History

# API Reference: Testing API Authentication Weaknesses
## JWT Security Checks
| Check | Severity | Description |
|-------|----------|-------------|
| alg:none | Critical | Signature verification bypassed |
| Weak HMAC secret | Critical | Brute-forceable signing key |
| No exp claim | High | Token never expires |
| Long TTL (>24h) | Medium | Extended token validity |
| Sensitive data in payload | High | PII in JWT claims |
| Missing iss/aud claims | Medium | Token scope ambiguity |
## OWASP API2:2023 Test Points
| Test | Category |
|------|----------|
| Unauthenticated endpoint access | Missing auth middleware |
| JWT alg:none bypass | Broken token validation |
| JWT secret brute-force | Weak cryptographic key |
| Token reuse after logout | Missing revocation |
| Refresh token rotation | Session management |
| Account enumeration | Information disclosure |
| Password policy bypass | Weak credential controls |
## Common JWT HMAC Secrets
| Secret | Type |
|--------|------|
| `secret` | Default |
| `your-256-bit-secret` | JWT.io example |
| `jwt_secret` | Convention |
| `changeme` | Placeholder |
## JWT Attack Tools
| Tool | Purpose |
|------|---------|
| jwt_tool | JWT testing with 12+ attack modes |
| hashcat -m 16500 | GPU JWT secret brute-force |
| Burp JWT Editor | Interactive JWT manipulation |
| Nuclei | Auth bypass templates |
## Python Libraries
| Library | Version | Purpose |
|---------|---------|---------|
| `requests` | >=2.28 | HTTP API calls |
| `base64` | stdlib | JWT decoding |
| `hmac` | stdlib | HMAC signature testing |
| `hashlib` | stdlib | Hash functions |
## References
- OWASP API Security Top 10: https://owasp.org/API-Security/
- JWT Best Practices RFC 8725: https://www.rfc-editor.org/rfc/rfc8725
- jwt_tool: https://github.com/ticarpi/jwt_tool
Reference in New Issue View Git Blame Copy Permalink