AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.
Inspect:
alg, kid, jku, x5u
| Pattern | First Test |
|---|---|
alg:none acceptance |
unsigned token with trailing dot |
| RS256 confusion | switch to HS256 using public key as secret |
kid lookup trust |
path traversal or injection in kid |
| remote key fetch trust | attacker-controlled jku or x5u |
| weak secret | offline crack with targeted wordlists |
role
isAdmin
admin
verified
plan
tier
permissions
org
owner
X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9
GraphQL or JSON batch abuse candidates:
X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants