CyberMCP

Implementation Reference

• src/tools/authentication.ts:263-349 (handler)

  The handler function that analyzes the provided JWT token for common vulnerabilities. It decodes the header and payload, checks the algorithm (e.g., 'none'), expiration, and presence of standard claims like iat, iss, sub.
  async ({ jwt_token }) => { try { // Split the token const parts = jwt_token.split("."); if (parts.length !== 3) { return { content: [ { type: "text", text: "Invalid JWT format. Expected 3 parts (header.payload.signature).", }, ], }; } // Decode header const headerBase64 = parts[0]; const headerJson = Buffer.from(headerBase64, "base64").toString(); const header = JSON.parse(headerJson); // Decode payload const payloadBase64 = parts[1]; const payloadJson = Buffer.from(payloadBase64, "base64").toString(); const payload = JSON.parse(payloadJson); // Check for security issues const issues = []; // Check algorithm if (header.alg === "none") { issues.push("Critical: 'none' algorithm used - authentication can be bypassed"); } if (header.alg === "HS256" || header.alg === "RS256") { // These are generally good, but we'll note it } else { issues.push(`Warning: Unusual algorithm ${header.alg} - verify if intended`); } // Check expiration if (!payload.exp) { issues.push("High: No expiration claim (exp) - token never expires"); } else { const expDate = new Date(payload.exp * 1000); const now = new Date(); if (expDate < now) { issues.push(`Info: Token expired on ${expDate.toISOString()}`); } else { const daysDiff = Math.floor((expDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24)); if (daysDiff > 30) { issues.push(`Medium: Long expiration time (${daysDiff} days) - consider shorter lifetime`); } } } // Check for missing recommended claims if (!payload.iat) { issues.push("Low: Missing 'issued at' claim (iat)"); } if (!payload.iss) { issues.push("Low: Missing 'issuer' claim (iss)"); } if (!payload.sub) { issues.push("Low: Missing 'subject' claim (sub)"); } return { content: [ { type: "text", text: issues.length > 0 ? `JWT Analysis Results:\n\nHeader: ${JSON.stringify(header, null, 2)}\n\nPayload: ${JSON.stringify(payload, null, 2)}\n\nSecurity Issues:\n${issues.join("\n")}` : `JWT Analysis Results:\n\nHeader: ${JSON.stringify(header, null, 2)}\n\nPayload: ${JSON.stringify(payload, null, 2)}\n\nNo security issues detected.`, }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error analyzing JWT: ${(error as Error).message}`, }, ], }; } }
• src/tools/authentication.ts:260-263 (schema)

  Zod input schema defining the required 'jwt_token' parameter.
  { jwt_token: z.string().describe("JWT token to analyze for vulnerabilities"), }, async ({ jwt_token }) => {
• src/tools/authentication.ts:258-350 (registration)

  Direct registration of the 'jwt_vulnerability_check' tool using server.tool(), including schema and handler, within the registerAuthenticationTools function.
  server.tool( "jwt_vulnerability_check", { jwt_token: z.string().describe("JWT token to analyze for vulnerabilities"), }, async ({ jwt_token }) => { try { // Split the token const parts = jwt_token.split("."); if (parts.length !== 3) { return { content: [ { type: "text", text: "Invalid JWT format. Expected 3 parts (header.payload.signature).", }, ], }; } // Decode header const headerBase64 = parts[0]; const headerJson = Buffer.from(headerBase64, "base64").toString(); const header = JSON.parse(headerJson); // Decode payload const payloadBase64 = parts[1]; const payloadJson = Buffer.from(payloadBase64, "base64").toString(); const payload = JSON.parse(payloadJson); // Check for security issues const issues = []; // Check algorithm if (header.alg === "none") { issues.push("Critical: 'none' algorithm used - authentication can be bypassed"); } if (header.alg === "HS256" || header.alg === "RS256") { // These are generally good, but we'll note it } else { issues.push(`Warning: Unusual algorithm ${header.alg} - verify if intended`); } // Check expiration if (!payload.exp) { issues.push("High: No expiration claim (exp) - token never expires"); } else { const expDate = new Date(payload.exp * 1000); const now = new Date(); if (expDate < now) { issues.push(`Info: Token expired on ${expDate.toISOString()}`); } else { const daysDiff = Math.floor((expDate.getTime() - now.getTime()) / (1000 * 60 * 60 * 24)); if (daysDiff > 30) { issues.push(`Medium: Long expiration time (${daysDiff} days) - consider shorter lifetime`); } } } // Check for missing recommended claims if (!payload.iat) { issues.push("Low: Missing 'issued at' claim (iat)"); } if (!payload.iss) { issues.push("Low: Missing 'issuer' claim (iss)"); } if (!payload.sub) { issues.push("Low: Missing 'subject' claim (sub)"); } return { content: [ { type: "text", text: issues.length > 0 ? `JWT Analysis Results:\n\nHeader: ${JSON.stringify(header, null, 2)}\n\nPayload: ${JSON.stringify(payload, null, 2)}\n\nSecurity Issues:\n${issues.join("\n")}` : `JWT Analysis Results:\n\nHeader: ${JSON.stringify(header, null, 2)}\n\nPayload: ${JSON.stringify(payload, null, 2)}\n\nNo security issues detected.`, }, ], }; } catch (error) { return { content: [ { type: "text", text: `Error analyzing JWT: ${(error as Error).message}`, }, ], }; } } );
• src/tools/index.ts:13-13 (registration)

  High-level registration call to registerAuthenticationTools(server), which includes the jwt_vulnerability_check tool.
  registerAuthenticationTools(server);