How to install api-auth-and-jwt-abuse
npx skills add https://github.com/yaklang/hack-skills --skill api-auth-and-jwt-abuseClaude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)
Source of truth, from yaklang/hack-skills.
name: api-auth-and-jwt-abuse description: >- API authentication and JWT abuse playbook. Use when testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary weaknesses.
SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits
AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.
1. TOKEN TRIAGE
Inspect:
alg,kid,jku,x5u- role, org, tenant, scope, or privilege claims
- issuer and audience mismatches
- reuse of mobile and web tokens across products
2. QUICK ATTACK PICKS
| Pattern | First Test |
|---|---|
alg:none acceptance | unsigned token with trailing dot |
| RS256 confusion | switch to HS256 using public key as secret |
kid lookup trust | path traversal or injection in kid |
| remote key fetch trust | attacker-controlled jku or x5u |
| weak secret | offline crack with targeted wordlists |
3. HIDDEN FIELDS AND BATCH ABUSE
Mass assignment field picks
role
isAdmin
admin
verified
plan
tier
permissions
org
owner
Rate limit and batch abuse picks
X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9
GraphQL or JSON batch abuse candidates:
- arrays of login mutations
- bulk object fetches with varying IDs
- repeated password reset or verification calls in one request
4. RATE LIMIT BYPASS FAMILIES
X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants
5. NEXT ROUTING
- For GraphQL batching and hidden parameters: graphql and hidden parameters
- For default credential and brute-force planning: authentication bypass
- For full JWT and OAuth depth: jwt oauth token attacks
- For OAuth or OIDC configuration flaws in browser and SSO flows: oauth oidc misconfiguration
- For credentialed browser reads and origin trust bugs: cors cross origin misconfiguration
Related skills
More from yaklang/hack-skills and the wider catalog.
HA
hack
yaklang/hack-skills
>-
1.9k installs
SQ
sqli-sql-injection
yaklang/hack-skills
>-
1.8k installs
CO
code-obfuscation-deobfuscation
yaklang/hack-skills
>-
1.8k installs
AP
api-sec
yaklang/hack-skills
>-
1.8k installsAudited
AN
android-pentesting-tricks
yaklang/hack-skills
>-
1.8k installs
XS
xss-cross-site-scripting
yaklang/hack-skills
>-
1.8k installs