creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/testing-jwt-token-security/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

69 lines
2.1 KiB
Markdown
Raw Blame History

# API Reference: Testing JWT Token Security
## PyJWT Library
### Installation
```bash
pip install PyJWT
```
### Encoding (Creating Tokens)
```python
import jwt
token = jwt.encode(payload, secret, algorithm="HS256")
```
### Decoding
```python
# Without verification (for analysis)
payload = jwt.decode(token, options={"verify_signature": False})
# With verification
payload = jwt.decode(token, secret, algorithms=["HS256"])
```
### Supported Algorithms
| Algorithm | Type | Description |
|-----------|------|-------------|
| `HS256` | HMAC | SHA-256 symmetric signing |
| `HS384` | HMAC | SHA-384 symmetric signing |
| `HS512` | HMAC | SHA-512 symmetric signing |
| `RS256` | RSA | SHA-256 asymmetric signing |
| `RS384` | RSA | SHA-384 asymmetric signing |
| `ES256` | ECDSA | P-256 curve signing |
## JWT Attack Types
| Attack | Description | Severity |
|--------|-------------|----------|
| Algorithm None | Set alg to "none", remove signature | Critical |
| Algorithm Confusion | Switch RS256 to HS256, sign with public key | Critical |
| HMAC Brute Force | Crack weak signing secrets | Critical |
| JKU Injection | Point JWK Set URL to attacker server | Critical |
| KID Injection | SQL injection or path traversal in Key ID | Critical |
| Claim Tampering | Modify role/sub claims after key compromise | High |
| Expired Token Reuse | Use tokens past expiration | High |
| No Revocation | Tokens valid after logout/password change | High |
## JWT Structure
```
Header.Payload.Signature
base64url({"alg":"HS256","typ":"JWT"}).base64url({"sub":"1","role":"user"}).HMACSHA256(...)
```
## Standard Claims
| Claim | Description |
|-------|-------------|
| `iss` | Token issuer |
| `sub` | Subject (user identifier) |
| `aud` | Intended audience |
| `exp` | Expiration time (Unix timestamp) |
| `nbf` | Not valid before time |
| `iat` | Issued at time |
| `jti` | Unique token identifier |
## References
- PyJWT docs: https://pyjwt.readthedocs.io/
- jwt_tool: https://github.com/ticarpi/jwt_tool
- JWT attacks: https://portswigger.net/web-security/jwt
- RFC 7519 (JWT): https://www.rfc-editor.org/rfc/rfc7519
Reference in New Issue View Git Blame Copy Permalink