Anthropic-Cybersecurity-Skills/skills/testing-api-authentication-weaknesses/references/api-reference.md

API Reference: Testing API Authentication Weaknesses

JWT Security Checks

Check	Severity	Description
alg:none	Critical	Signature verification bypassed
Weak HMAC secret	Critical	Brute-forceable signing key
No exp claim	High	Token never expires
Long TTL (>24h)	Medium	Extended token validity
Sensitive data in payload	High	PII in JWT claims
Missing iss/aud claims	Medium	Token scope ambiguity

OWASP API2:2023 Test Points

Test	Category
Unauthenticated endpoint access	Missing auth middleware
JWT alg:none bypass	Broken token validation
JWT secret brute-force	Weak cryptographic key
Token reuse after logout	Missing revocation
Refresh token rotation	Session management
Account enumeration	Information disclosure
Password policy bypass	Weak credential controls

Common JWT HMAC Secrets

Secret	Type
secret	Default
your-256-bit-secret	JWT.io example
jwt_secret	Convention
changeme	Placeholder

JWT Attack Tools

Tool	Purpose
jwt_tool	JWT testing with 12+ attack modes
hashcat -m 16500	GPU JWT secret brute-force
Burp JWT Editor	Interactive JWT manipulation
Nuclei	Auth bypass templates

Python Libraries

Library	Version	Purpose
requests	>=2.28	HTTP API calls
base64	stdlib	JWT decoding
hmac	stdlib	HMAC signature testing
hashlib	stdlib	Hash functions

References

• OWASP API Security Top 10: https://owasp.org/API-Security/
• JWT Best Practices RFC 8725: https://www.rfc-editor.org/rfc/rfc8725
• jwt_tool: https://github.com/ticarpi/jwt_tool