SKILL: API Auth and JWT Abuse — Token Trust, Header Tricks, and Rate Limits

AI LOAD INSTRUCTION: Use this skill when APIs rely on JWT, bearer tokens, API keys, or weak request identity signals. Focus on token trust boundaries, claim misuse, header spoofing, and rate-limit bypass.

1. TOKEN TRIAGE

Inspect:

• alg, kid, jku, x5u

• role, org, tenant, scope, or privilege claims

• issuer and audience mismatches

• reuse of mobile and web tokens across products

2. QUICK ATTACK PICKS

Pattern

First Test

alg:none acceptance

unsigned token with trailing dot

RS256 confusion

switch to HS256 using public key as secret

kid lookup trust

path traversal or injection in kid

remote key fetch trust

attacker-controlled jku or x5u

weak secret

offline crack with targeted wordlists

3. HIDDEN FIELDS AND BATCH ABUSE

Mass assignment field picks

role

isAdmin

admin

verified

plan

tier

permissions

org

owner

Rate limit and batch abuse picks

X-Forwarded-For: 1.2.3.4

X-Real-IP: 5.6.7.8

Forwarded: for=9.9.9.9

GraphQL or JSON batch abuse candidates:

• arrays of login mutations

• bulk object fetches with varying IDs

• repeated password reset or verification calls in one request

4. RATE LIMIT BYPASS FAMILIES

X-Forwarded-For

X-Real-IP

Forwarded

User-Agent rotation

Path case / slash variants

5. NEXT ROUTING

• For GraphQL batching and hidden parameters: graphql and hidden parameters

• For default credential and brute-force planning: authentication bypass

• For full JWT and OAuth depth: jwt oauth token attacks

• For OAuth or OIDC configuration flaws in browser and SSO flows: oauth oidc misconfiguration

• For credentialed browser reads and origin trust bugs: cors cross origin misconfiguration