PluginBench
Skill
Fail
Audit score 45

api-auth-and-jwt-abuse

yaklang/hack-skills

How to install api-auth-and-jwt-abuse

npx skills add https://github.com/yaklang/hack-skills --skill api-auth-and-jwt-abuse
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from yaklang/hack-skills.


name: api-auth-and-jwt-abuse description: >- API authentication and JWT abuse playbook. Use when testing bearer tokens, API keys, claim trust, header spoofing, rate limits, and API auth boundary weaknesses.

SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.

1. TOKEN TRIAGE

Inspect:

  • alg, kid, jku, x5u
  • role, org, tenant, scope, or privilege claims
  • issuer and audience mismatches
  • reuse of mobile and web tokens across products

2. QUICK ATTACK PICKS

PatternFirst Test
alg:none acceptanceunsigned token with trailing dot
RS256 confusionswitch to HS256 using public key as secret
kid lookup trustpath traversal or injection in kid
remote key fetch trustattacker-controlled jku or x5u
weak secretoffline crack with targeted wordlists

3. HIDDEN FIELDS AND BATCH ABUSE

Mass assignment field picks

role
isAdmin
admin
verified
plan
tier
permissions
org
owner

Rate limit and batch abuse picks

X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9

GraphQL or JSON batch abuse candidates:

  • arrays of login mutations
  • bulk object fetches with varying IDs
  • repeated password reset or verification calls in one request

4. RATE LIMIT BYPASS FAMILIES

X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants

5. NEXT ROUTING