Back to Details

api-auth-and-jwt-abuse

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

SKILL: API身份验证与JWT滥用 —— 令牌信任、头部技巧与速率限制

AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.
AI加载说明:当API依赖JWT、Bearer令牌、API密钥或存在脆弱的请求身份标识时使用本技能。重点关注令牌信任边界、声明误用、头部伪造以及速率限制绕过。

1. TOKEN TRIAGE

1. 令牌初步排查

Inspect:
  • alg
    , 
    kid
    , 
    jku
    , 
    x5u
  • role, org, tenant, scope, or privilege claims
  • issuer and audience mismatches
  • reuse of mobile and web tokens across products
检查项:
  • alg
    , 
    kid
    , 
    jku
    , 
    x5u
  • role、org、tenant、scope或权限声明
  • 发行方与受众不匹配
  • 移动端和网页端令牌跨产品复用

2. QUICK ATTACK PICKS

2. 快速攻击选项

PatternFirst Test
alg:none
acceptance		unsigned token with trailing dot
RS256 confusionswitch to HS256 using public key as secret
kid
lookup trust		path traversal or injection in 
kid
remote key fetch trustattacker-controlled 
jku
or 
x5u
weak secretoffline crack with targeted wordlists
攻击模式优先测试项
alg:none
接受		带末尾点的未签名令牌
RS256 混淆使用公钥作为密钥切换为HS256算法
kid
查询信任
kid
中的路径遍历或注入
远程密钥获取信任攻击者可控的 
jku
x5u
弱密钥使用定向字典离线破解

3. HIDDEN FIELDS AND BATCH ABUSE

3. 隐藏字段与批量滥用

Mass assignment field picks

批量赋值字段备选

text
role
isAdmin
admin
verified
plan
tier
permissions
org
owner
text
role
isAdmin
admin
verified
plan
tier
permissions
org
owner

Rate limit and batch abuse picks

速率限制与批量滥用备选

text
X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9
GraphQL or JSON batch abuse candidates:
  • arrays of login mutations
  • bulk object fetches with varying IDs
  • repeated password reset or verification calls in one request
text
X-Forwarded-For: 1.2.3.4
X-Real-IP: 5.6.7.8
Forwarded: for=9.9.9.9
GraphQL或JSON批量滥用候选场景:
  • 登录突变数组
  • 携带不同ID的批量对象拉取
  • 单次请求中重复调用密码重置或验证接口

4. RATE LIMIT BYPASS FAMILIES

4. 速率限制绕过分类

text
X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants
text
X-Forwarded-For
X-Real-IP
Forwarded
User-Agent rotation
Path case / slash variants

5. NEXT ROUTING

5. 相关技能跳转

  • For GraphQL batching and hidden parameters: graphql and hidden parameters
  • For default credential and brute-force planning: authentication bypass
  • For full JWT and OAuth depth: jwt oauth token attacks
  • For OAuth or OIDC configuration flaws in browser and SSO flows: oauth oidc misconfiguration
  • For credentialed browser reads and origin trust bugs: cors cross origin misconfiguration
  • 了解GraphQL批量查询与隐藏参数:graphql and hidden parameters
  • 了解默认凭证与暴力测试规划:authentication bypass
  • 深入学习JWT与OAuth:jwt oauth token attacks
  • 了解浏览器与SSO流程中的OAuth或OIDC配置漏洞:oauth oidc misconfiguration
  • 了解带凭证的浏览器读取与源信任漏洞:cors cross origin misconfiguration