SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

AI LOAD INSTRUCTION

Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass. 1. TOKEN TRIAGE Inspect: alg , kid , jku , x5u role, org, tenant, scope, or privilege claims issuer and audience mismatches reuse of mobile and web tokens across products 2. QUICK ATTACK PICKS Pattern First Test alg:none acceptance unsigned token with trailing dot RS256 confusion switch to HS256 using public key as secret kid lookup trust path traversal or injection in kid remote key fetch trust attacker-controlled jku or x5u weak secret offline crack with targeted wordlists 3. HIDDEN FIELDS AND BATCH ABUSE Mass assignment field picks role isAdmin admin verified plan tier permissions org owner Rate limit and batch abuse picks X-Forwarded-For: 1.2.3.4 X-Real-IP: 5.6.7.8 Forwarded: for=9.9.9.9 GraphQL or JSON batch abuse candidates: arrays of login mutations bulk object fetches with varying IDs repeated password reset or verification calls in one request 4. RATE LIMIT BYPASS FAMILIES X-Forwarded-For X-Real-IP Forwarded User-Agent rotation Path case / slash variants 5. NEXT ROUTING For GraphQL batching and hidden parameters: graphql and hidden parameters For default credential and brute-force planning: authentication bypass For full JWT and OAuth depth: jwt oauth token attacks For OAuth or OIDC configuration flaws in browser and SSO flows: oauth oidc misconfiguration For credentialed browser reads and origin trust bugs: cors cross origin misconfiguration