cybernetic
← library

Identify JWT vulnerabilities in security tests

offensive-jwtskillsetup L22,144
SnailSploit/Claude-Red
What it does

Analyze, forge, and exploit JWT tokens in security testing

Best for

When you need to test JWT security (algorithm compliance, signature verification, expiration handling) in authorized penetration tests.

Inputs
  • · JWT token string
  • · secret or algorithm weakness flag
Outputs
  • · decoded payload
  • · vulnerability assessment (none, weak algo, no verification, expired)
  • · forged token if exploitable
Requires
  • · jwt.io CLI or library
  • · hashcat (optional for brute-force)
Preconditions
  • · JWT token is accessible
  • · testing scope includes JWT endpoints
Failure modes
  • · secret never guessed (strong key)
  • · forged token rejected by strict validation
  • · token refreshes prevent replay
Trust signals
  • · Decodes all payload fields
  • · Identifies weak algorithms (none, HS256 with weak secret)
  • · Forging capability when secret is weak