Break JWT Validation Goal Identify whether JWT handling is weak enough to allow acceptance of invalid, stale, mis-scoped, or attacker-influenced tokens. Assumptions the app uses JWTs for auth or session-like state validation logic may be inconsistent across services developers may confuse token presence with valid authorization Prerequisites sample tokens from authenticated flows ability to replay requests basic understanding of JWT structure Recon steps Determine where tokens are issued and consumed. Map claims that appear to influence authorization. Identify whether multiple services validate the same token differently. Exploit / test steps Replay expired or old tokens. Remove or alter non-critical claims to observe validation strictness. Test whether audience, issuer, or scope checks appear enforced. Compare behavior across web, mobile, and API entry points. Check whether logout or privilege changes actually revoke token usefulness. Validation clues expired tokens still work changed or missing claims are accepted different services accept different token states authorization decisions rely on weak or stale claims Mitigation validate signature, issuer, audience, expiry, and relevant claims consistently separate authentication from authorization checks minimize token lifetime and scope design explicit revocation strategies where needed Logging / detection repeated use of expired tokens token claim anomalies inconsistent auth decisions across services for same subject Related notes auth-flaws JWT Attacks token-lifecycle session-management References Foundational: OWASP Authentication Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html Testing / Lab: PortSwigger Web Security Academy — https://portswigger.net/web-security Foundational: OWASP WSTG — https://owasp.org/www-project-web-security-testing-guide/latest/ Next →Detect DCSync and ntds.dit Access Explore nearby notes Security PlaybooksDetect DCSync and ntds.dit AccessDetect both forms of bulk Active Directory credential extraction — **DCSync** (IDL_DRSGetNCChanges via the DRSUAPI RPC interface) and **offline ntds.dit... Security PlaybooksDetect External Recon Scan PipelineDetect an external operator running a two-phase Masscan → Nmap-NSE recon pipeline (the offense playbook run-scan-pipeline) against your perimeter, with high enough... Security PlaybooksDetect Kerberoasting and AS-REP RoastingDetect both Active Directory Kerberos credential-attack families (Kerberoasting and AS-REP Roasting) via behavioral analysis on Event IDs 4768/4769 and... Security PlaybooksExploit IDORDetermine whether object identifiers can be manipulated to access another user's data or actions. Security PlaybooksExploit SQL InjectionDetermine whether user-controlled input can alter SQL query logic in a way that changes access, data, or behavior. Security PlaybooksInspect File Upload SurfaceDetermine whether upload features create unsafe execution, storage, parser, or exposure paths.