kid:/dev/null — Sets "kid": "../../../dev/null" in the header
and signs with an empty string secret. The server reads /dev/null
(0 bytes) as the key, so HMAC verification passes. alg:none — Classic unsigned token bypass. Empty key — Signs with "" as the HMAC secret.
JKU Attacker URL
Used by the JKU injection and JWK injection attacks in Auto Exploit.
For JKU: host the generated JWKS at this URL, then submit the token.
For JWK: the public key is embedded directly in the token header — no hosting needed.