Back to Details

competition-jwt-claim-confusion

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition JWT Claim Confusion

竞赛JWT声明混淆

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive bug is not just "there is a JWT," but how headers, claims, and key selection turn into accepted identity.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当
$ctf-sandbox-orchestrator
已处于激活状态,且已完成沙箱假设、节点所有权和证据优先级的设定后,才可作为下游专项技能使用。如果尚未满足上述条件,请先回到
$ctf-sandbox-orchestrator
流程。
当核心漏洞不只是「存在JWT」,而是涉及头部、声明和密钥选择如何转化为被接纳的身份时,使用本技能。
除非用户明确要求使用英文,否则使用简体中文回复。

Quick Start

快速开始

  1. Split the token path into parse, key lookup, signature or decryption, claim validation, and final acceptance.
  2. Record header fields, claims, key source, issuer, audience, and role mapping before mutating anything.
  3. Separate possession of a token from the exact service that accepts it.
  4. Keep parser behavior, trust policy, and resulting app session or privilege in one chain.
  5. Reproduce the smallest token-to-acceptance flow that proves the decisive confusion.
  1. 将令牌处理路径拆分为解析、密钥查找、签名或解密、声明校验、最终接纳几个步骤。
  2. 在修改任何内容前,先记录头部字段、声明、密钥来源、颁发者、受众和角色映射关系。
  3. 将令牌持有情况和实际接纳该令牌的服务区分开。
  4. 把解析器行为、信任策略和最终生成的应用会话或权限关联到完整链路中。
  5. 复现最小化的令牌到接纳流程,证明核心混淆漏洞的存在。

Workflow

工作流

1. Map Header And Key Selection

1. 映射头部与密钥选择逻辑

  • Record header fields such as 
    alg
    , 
    kid
    , 
    typ
    , 
    cty
    , 
    jku
    , or embedded key material when present.
  • Note where keys come from: static config, JWKS, local file, cache, or dynamic lookup.
  • Keep token parser, key selection path, and validation mode tied together.
  • 记录存在的头部字段,例如
    alg
    kid
    typ
    cty
    jku
    或嵌入式密钥材料。
  • 标注密钥的来源:静态配置、JWKS、本地文件、缓存或动态查找。
  • 将令牌解析器、密钥选择路径和校验模式三者关联对应。

2. Prove Claim-To-Privilege Acceptance

2. 证明声明到权限的接纳逻辑

  • Show how subject, audience, issuer, tenant, scope, role, or custom claims become app session, route access, or backend privilege.
  • Record expiration, not-before, clock skew, issuer matching, audience matching, and claim normalization behavior.
  • Distinguish token parse success from actual authorization success.
  • 展示主体、受众、颁发者、租户、作用域、角色或自定义声明如何转化为应用会话、路由访问权限或后端权限。
  • 记录过期时间、生效时间、时钟偏移、颁发者匹配、受众匹配和声明归一化行为。
  • 区分令牌解析成功和实际授权成功两个场景。

3. Reduce To The Decisive JWT Path

3. 精简出核心JWT处理路径

  • Compress the result to the smallest sequence: token supplied -> parser or key path taken -> claim accepted -> resulting capability.
  • Keep one canonical accepted token path and one mutated token path if confusion or bypass depends on a delta.
  • If the task broadens into a larger OAuth redirect chain, hand back to the tighter OAuth skill.
  • 将结果压缩为最小序列:提交令牌 -> 执行解析或密钥查找路径 -> 声明被接纳 -> 获得对应权限。
  • 如果混淆或绕过依赖于差异对比,保留一条标准可接纳令牌路径和一条修改后的令牌路径。
  • 如果任务扩展为更大的OAuth重定向链路,交还给更针对性的OAuth技能处理。

Read This Reference

参考文档

  • Load 
    references/jwt-claim-confusion.md
    for the header checklist, claim checklist, and evidence packaging.
  • 加载
    references/jwt-claim-confusion.md
    查看头部检查清单、声明检查清单和证据整理规范。

What To Preserve

需要留存的内容

  • Raw headers, claims, key source, JWKS or local key path, and the accepting service
  • The exact validation or normalization step that turns the token into accepted identity
  • One minimal replayable token-to-acceptance sequence
  • 原始头部、声明、密钥来源、JWKS或本地密钥路径,以及接纳令牌的服务
  • 将令牌转化为被接纳身份的具体校验或归一化步骤
  • 一条最小可复现的令牌到接纳流程序列