Skills Development API Authentication And JWT Abuse Testing

API Authentication And JWT Abuse Testing

v20260506
api-auth-and-jwt-abuse
A comprehensive playbook for security testing APIs relying on JWT, bearer tokens, or API keys. It covers token validation weaknesses (e.g., 'alg:none', RS256 confusion), claim misuse, header spoofing, rate limit bypass, and mass assignment vulnerabilities. Ideal for penetration testers assessing authentication boundaries.
Get Skill
452 downloads
Overview

SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.

1. TOKEN TRIAGE

Inspect:

  • alg, kid, jku, x5u
  • role, org, tenant, scope, or privilege claims
  • issuer and audience mismatches
  • reuse of mobile and web tokens across products

2. QUICK ATTACK PICKS

Pattern First Test
alg:none acceptance unsigned token with trailing dot
RS256 confusion switch to HS256 using public key as secret
kid lookup trust path traversal or injection in kid
remote key fetch trust attacker-controlled jku or x5u
weak secret offline crack with targeted wordlists

3. HIDDEN FIELDS AND BATCH ABUSE

Mass assignment field picks

role
isAdmin
admin
verified
plan
tier
permissions
org
owner

Rate limit and batch abuse picks

X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9

GraphQL or JSON batch abuse candidates:

  • arrays of login mutations
  • bulk object fetches with varying IDs
  • repeated password reset or verification calls in one request

4. RATE LIMIT BYPASS FAMILIES

X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants

5. NEXT ROUTING

Info
Category Development
Name api-auth-and-jwt-abuse
Version v20260506
Size 2.21KB
Updated At 2026-05-08
Language