Agent Skillszhaoxuya520/reverse-skill › competition-jwt-claim-confusion

competition-jwt-claim-confusion

GitHub

用于CTF沙箱中JWT/JWS/JWE验证路径分析,检查头解析、密钥选择、声明接受及身份混淆漏洞。需在编排器激活后使用,追踪从令牌到权限接受的完整流程,复现最小化利用链以证明关键逻辑缺陷。

CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

用户要求检查JWT头部或声明 需要分析kid处理或alg混淆 询问受众或发行者验证逻辑 解释令牌如何被接受为身份或特权

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-jwt-claim-confusion -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-jwt-claim-confusion

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-jwt-claim-confusion -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-jwt-claim-confusion",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for JWT, JWS, and JWE validation paths, header parsing, key selection, claim acceptance, audience and issuer checks, role derivation, and token-to-identity confusion bugs. Use when the user asks to inspect JWT headers or claims, key lookup, `kid` handling, `alg` confusion, audience or issuer validation, role claims, or explain how a token becomes accepted identity or privilege. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition JWT Claim Confusion

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive bug is not just "there is a JWT," but how headers, claims, and key selection turn into accepted identity.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Split the token path into parse, key lookup, signature or decryption, claim validation, and final acceptance.
  2. Record header fields, claims, key source, issuer, audience, and role mapping before mutating anything.
  3. Separate possession of a token from the exact service that accepts it.
  4. Keep parser behavior, trust policy, and resulting app session or privilege in one chain.
  5. Reproduce the smallest token-to-acceptance flow that proves the decisive confusion.

Workflow

1. Map Header And Key Selection

  • Record header fields such as alg, kid, typ, cty, jku, or embedded key material when present.
  • Note where keys come from: static config, JWKS, local file, cache, or dynamic lookup.
  • Keep token parser, key selection path, and validation mode tied together.

2. Prove Claim-To-Privilege Acceptance

  • Show how subject, audience, issuer, tenant, scope, role, or custom claims become app session, route access, or backend privilege.
  • Record expiration, not-before, clock skew, issuer matching, audience matching, and claim normalization behavior.
  • Distinguish token parse success from actual authorization success.

3. Reduce To The Decisive JWT Path

  • Compress the result to the smallest sequence: token supplied -> parser or key path taken -> claim accepted -> resulting capability.
  • Keep one canonical accepted token path and one mutated token path if confusion or bypass depends on a delta.
  • If the task broadens into a larger OAuth redirect chain, hand back to the tighter OAuth skill.

Read This Reference

  • Load references/jwt-claim-confusion.md for the header checklist, claim checklist, and evidence packaging.

What To Preserve

  • Raw headers, claims, key source, JWKS or local key path, and the accepting service
  • The exact validation or normalization step that turns the token into accepted identity
  • One minimal replayable token-to-acceptance sequence

Version History

  • 1bec1f2 Current 2026-07-05 18:45

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
f470a046
Indexed
2026-07-05 18:45

trang chủ - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 20:30
浙ICP备14020137号-1 $bản đồ khách truy cập$