AgentSkillsCN

jwt-library-flaws

在代码审查过程中,检测JWT库实现中的漏洞。在审查JWT库的实现、审计身份验证/授权代码、遇到JWT解析/验证逻辑,或调查身份验证绕过漏洞时使用此功能。可通过“JWT验证”“令牌签名”“alg头处理”“签名验证”“JWS/JWE实现”、“身份验证绕过”、“算法混淆”等指令触发。

SKILL.md
--- frontmatter
name: jwt-library-flaws
description: Detect JWT library implementation vulnerabilities during code review. Use when reviewing JWT library implementations, auditing authentication/authorization code, encountering JWT parsing/verification logic, or investigating auth bypass vulnerabilities. Triggers: JWT verification, token signing, alg header handling, signature validation, JWS/JWE implementation, authentication bypass, algorithm confusion.

JWT Library Vulnerability Detection

Identify implementation flaws in JWT libraries—not consumer misuse, but bugs in verification logic itself.

Core Vulnerabilities

FlawDetection Question
None AlgorithmDoes unknown/empty alg fail closed? Is "none" explicitly rejected?
Algorithm ConfusionCan alg header switch key type (RS→HS)? Is key type enforced?
Empty SignatureDoes empty signature input cause verification to pass?
Unknown Alg FallthroughDoes unsupported algorithm return error or empty/default value?
Kid InjectionIs kid sanitized before file/DB lookup?
Embedded JWKAre jwk/jku/x5u headers trusted from token?
Signature SkipIs there a decode path that bypasses verification?

Code Review Checklist

Algorithm Handling

  • Algorithm allowlist exists (not denylist)
  • Algorithm specified server-side, not from token header
  • Unknown algorithms throw/return error
  • Case-insensitive "none"/"None"/"NONE" all rejected

Signature Verification

  • Empty/missing signature fails verification
  • Signature computation errors propagate (not swallowed)
  • No decode-without-verify public API

Key Management

  • Key type enforced (RSA key can't be used for HMAC)
  • kid parameter sanitized (no path traversal, SQL injection)
  • Embedded keys (jwk, jku, x5u) not trusted

Red Flags

code
// DANGEROUS: Algorithm from token drives verification
alg = header["alg"]
verify(token, alg, key)

// DANGEROUS: Empty result instead of error
func getSignature(alg) -> string {
    if alg == "HS256": return hmac(...)
    return ""  // Should throw!
}

// DANGEROUS: Comparison passes on empty
if computedSig == providedSig  // Both empty = true!

Secure Patterns

code
// CORRECT: Server specifies algorithm
verify(token, allowedAlgorithms=["RS256"], key)

// CORRECT: Fail on unknown
func getSignature(alg) -> Result<string, Error> {
    if alg == "HS256": return Ok(hmac(...))
    return Err("unsupported algorithm")
}

// CORRECT: Require non-empty signature
if sig.isEmpty(): return Err("missing signature")
if !constantTimeCompare(computed, provided): return Err("invalid")

References