Detect insecure JWT implementations

Detect JWT vulnerabilities in code

Finding JWT signature bypass, algorithm confusion, and key exposure in token handling

• · Codebase under analysis
• · sast/architecture.md (prerequisite)

• · sast/jwt-results.md with findings
• · JWT parsing, validation, and signing issues

• · sast/architecture.md must exist
• · Source code accessible

• · Custom JWT parsing misses validation edge cases
• · Timing attacks not caught by static analysis
• · Key rotation issues missed

• · Three-phase analysis of JWT creation, validation, and use
• · Covers algorithm confusion, signature bypass
• · Identifies key storage issues