Red Specter SPECTER FORGERY

AI Agent Identity Forgery & Trust Chain Attack Engine — 9 subsystems covering OIDC JWT forgery, SPIFFE SVID, JWKS poisoning, algorithm confusion (CVE-2025-68664), and cross-vendor identity transmutation.

v1.0.0 — 407 tests passing

Contents

Overview The 9 Subsystems Subsystem Details Full Pipeline Mode Algorithm Confusion — CVE-2025-68664 JWKS Poisoning Techniques Cross-Vendor Transmutation Report Output Requirements Standards Coverage UNLEASHED Disclaimer

Overview

Red Specter SPECTER FORGERY is an AI agent identity forgery and trust chain attack engine. It operationalises the complete identity attack lifecycle — from surface enumeration through credential forgery, token replay, JWKS root-of-trust poisoning, confused deputy privilege escalation, post-publication drift detection, and cross-vendor identity transmutation.

SPECTER FORGERY is NIGHTFALL Tool 83. It provides 9 subsystems under a single CLI (specter-forgery), targeting 7 identity types across 10 AI vendor platforms. CVE-2025-68664 (algorithm confusion, CVSS 9.3) and CVE-2026-44843 (SVID cross-boundary) are operationalised. Every finding is recorded in a SHA-256 hash-chained EvidenceChain and packaged in an Ed25519-signed ForgeReport with FORGE-{hex12} report IDs.

Security teams use SPECTER FORGERY to validate agent identity verification controls, test JWT library algorithm confusion protections, audit JWKS endpoint security, map confused deputy privilege escalation paths, and verify cross-vendor identity boundary enforcement.

The 9 Subsystems

#	Subsystem	Command	Gate	What It Does
01	SURVEY	specter-forgery survey	OPEN	Enumerate AI identity surfaces — OIDC, A2A cards, SPIFFE, KYA, JWKS. Classify by identity type and vendor
02	MINT	specter-forgery mint	INJECT	Forge credentials — OIDC JWT (RS256/ES256/HS256), SPIFFE SVID, KYA attestation, A2A card, Entra token
03	REPLAY	specter-forgery replay	INJECT	Captured token manipulation — expiry bypass, alg:none strip, scope creep, OBO chain, cross-tenant injection
04	CARD	specter-forgery card	INJECT	A2A agent card attacks — substitution, skill injection, capability escalation, URL redirection, registry inject
05	DEPUTY	specter-forgery deputy	INJECT	Confused deputy chains — RS256→HS256 algorithm confusion CVE-2025-68664, OBO scope escalation, cross-service reuse
06	JWKS	specter-forgery jwks	INJECT	JWKS root-of-trust poisoning — key injection, kid path traversal, alg confusion, empty keys bypass, rotation poison
07	DRIFT	specter-forgery drift	OPEN	Post-publication identity drift detection — baseline comparison, attribute mutation scoring, dead-man sentinel
08	TRANSMUTE	specter-forgery transmute	DESTROY	Cross-vendor identity transmutation — 8 paths, CVE-2026-44843 SVID cross-boundary, claim translation & re-signing
09	REPORT	specter-forgery report	OPEN	Ed25519-signed ForgeReport — FORGE-{hex12} ID, SHA-256 hash-chained evidence, ATT&CK + ATLAS mapping

Subsystem Details

01 SURVEY specter-forgery survey <TARGET>

Enumerates AI identity surfaces exposed by the target and classifies each discovery by identity type and vendor.

OIDC discovery — fetches /.well-known/openid-configuration, extracts issuer, JWKS URI, token endpoint
A2A agent cards — fetches /.well-known/agent.json, parses capabilities, skills, authentication
SPIFFE trust bundles — probes SPIFFE trust domain endpoints, enumerates SVID validation paths
KYA attestation — discovers Know Your Agent attestation endpoints and attestation schemas
JWKS enumeration — fetches JWKS endpoints, inventories key IDs, algorithms, and key ages
Classification — maps each discovery to one of 7 identity types across 10 vendor targets
Gate — OPEN, no flags required

02 MINT specter-forgery mint <TARGET> --override

Credential forgery factory — generates cryptographically valid forged credentials for the specified identity type.

OIDC JWT — real PyJWT signing with RS256 (2048-bit key), ES256 (P-256), or HS256. Configurable claims (sub, iss, aud, exp, iat, email, roles, oid, tid)
SPIFFE SVID — X.509 certificate with spiffe://<trust_domain>/<workload> in UniformResourceIdentifier SAN extension. RSA-2048 + SHA-256
KYA attestation — JSON attestation document with agent_id, capabilities, policy_hash, timestamp, and operator_signature field
A2A agent card — Google A2A-compatible JSON card with name, description, url, capabilities array, skills array, authentication block
Entra service principal — Azure AD-format JWT with appid, tid, oid, roles, scp claims
Gate — INJECT, requires --override

03 REPLAY specter-forgery replay <TARGET> --captured-token <TOKEN> --override

Manipulates captured credentials for replay with elevated privilege or extended validity.

expiry_bypass — modifies exp claim to far future timestamp, re-signs where possible
signature_strip — sets alg to none, removes signature, tests for vulnerable verifiers
scope_creep — injects additional scopes into scp / scope claim (e.g., adds admin, write)
obo_chain — constructs On-Behalf-Of token chain, escalating from subject token to higher-privilege service token
cross_tenant — injects foreign tid (tenant ID) to test cross-tenant isolation
audience_confusion — modifies aud claim to target a different service than the original token
Gate — INJECT, requires --override

04 CARD specter-forgery card <TARGET> --technique <TECHNIQUE> --override

Attacks A2A agent card trust — manipulates published agent discovery cards to inject malicious capabilities or redirect agent interactions.

card_substitution — replaces the agent card at the discovery endpoint with an attacker-controlled card
skill_injection — appends malicious skill entries to the agent's advertised capability list
capability_escalation — elevates existing capabilities by adding credential_access, admin, and destructive actions
url_redirection — modifies the card's endpoint URL to redirect agent interactions to an attacker server
registry_injection — injects the forged card into agent discovery registries
Gate — INJECT, requires --override

05 DEPUTY specter-forgery deputy <TARGET> --technique <TECHNIQUE> --override

Confused deputy attack chain — exploits the relationship between caller identity and service permissions.

alg_confusion — RS256→HS256 algorithm confusion (CVE-2025-68664, CVSS 9.3). Fetches RSA public key from JWKS, constructs HS256 token using public key PEM as HMAC secret via manual HMAC-SHA256 construction
obo_privilege — OBO flow scope escalation — constructs an OBO token with scopes not present in the original assertion
multi_hop — multi-hop privilege amplification through a chain of OBO flows
cross_service_reuse — presents a service A token to service B to test cross-service scope enforcement
Gate — INJECT, requires --override

06 JWKS specter-forgery jwks <JWKS_URL> --technique <TECHNIQUE> --override

JWKS root-of-trust poisoning — attacks the key discovery mechanism used to validate JWT signatures.

key_injection — injects attacker RSA or EC key into the JWKS key set. Tokens signed with the corresponding private key are then accepted
kid_confusion — path traversal in the kid JWT header parameter: ../../etc/passwd, ../../proc/self/environ
alg_confusion_jwks — injects a key with alg: HS256 into the JWKS, then uses the key bytes as HMAC secret for forged tokens
empty_keys — returns an empty JWKS ("keys": []), exploiting verifiers that accept all tokens when no keys are present
rotation_poison — times key injection to coincide with JWKS rotation windows, exploiting the dual-key transition period
Gate — INJECT, requires --override

07 DRIFT specter-forgery drift <TARGET> --published-identity identity.json

Post-publication identity drift detection — monitors for silent mutations to published AI agent identity attributes.

Baseline comparison — fetches current identity document, compares attribute-by-attribute to stored baseline
Attribute mutation scoring — scores trust degradation based on which attributes changed (algorithm change = high severity, URL change = medium, capability add = medium)
Dead-man sentinel — background heartbeat thread writes a timestamp every 30 seconds. If the thread is interrupted (e.g., by an active attacker terminating the monitoring process), the sentinel fires and emits a high-severity DRIFT_SENTINEL_FIRED finding
Supported identity types — A2A agent cards, KYA attestations, OIDC discovery documents, SPIFFE trust bundles
Gate — OPEN, no flags required

08 TRANSMUTE specter-forgery transmute <TARGET> --source-vendor <SRC> --target-vendor <DST> --override --confirm-destroy

Cross-vendor identity transmutation — converts a credential from one trust domain to a form accepted by another vendor's authentication system.

entra → openai — Azure AD JWT converted to OpenAI-accepted API token format
entra → anthropic — Azure AD JWT converted to Anthropic API credential
salesforce → workday — Salesforce Connected App token transmuted to Workday OAuth format
gcp → azure — Google Cloud service account identity token converted to Entra access token
aws → gcp — AWS Cognito/IAM credential transmuted to Google Cloud identity
openai → google_a2a — OpenAI API identity converted to Google A2A agent card credential
kya → lyrie_atp — KYA attestation document transmuted to Lyrie ATP protocol format
okta → dify — Okta OIDC token converted to Dify platform authentication
CVE mapping — CVE-2026-44843 (SVID cross-boundary trust domain confusion)
Gate — DESTROY, requires --override --confirm-destroy and scope file

09 REPORT specter-forgery report --output ./results

Generates an Ed25519-signed ForgeReport aggregating all subsystem findings into a single evidence chain.

Report ID — FORGE-{12 hex chars} format (e.g. FORGE-a3f7c91b2e4d)
EvidenceChain — SHA-256 hash-chained list of findings, each linking to the previous hash
MITRE ATT&CK mapping — T1134, T1552, T1078, T1550, T1606, T1111 auto-annotated per finding
MITRE ATLAS mapping — AML.T0012, AML.T0051, AML.T0056, AML.T0043, AML.T0048
OWASP LLM mapping — LLM01, LLM02, LLM06 per finding category
Ed25519 signature — report signed with operator private key; verifiable with public key
SIEM NDJSON — newline-delimited JSON format for ingestion into Splunk, Sentinel, QRadar
Gate — OPEN, no flags required

Full Pipeline Mode

The full command executes all nine subsystems in sequence: SURVEY → MINT → REPLAY → CARD → DEPUTY → JWKS → DRIFT → TRANSMUTE → REPORT.

$ specter-forgery full <TARGET> --override --confirm-destroy --output ./results
# Full pipeline — DESTROY gate required for TRANSMUTE subsystem
# Scope file at ./forgery_scope.json enforces target boundaries
    

Individual subsystems can be run in isolation for targeted assessments. SURVEY output is consumed as input by MINT, REPLAY, DEPUTY, and JWKS.

Algorithm Confusion — CVE-2025-68664

JWT algorithm confusion attacks exploit the difference between asymmetric (RS256) and symmetric (HS256) verification. When a library calls jwt.decode(token, public_key) without explicitly constraining the allowed algorithms, an attacker who provides a token with alg: HS256 causes the library to interpret the public key PEM bytes as an HMAC-SHA256 secret — and accept any token signed with that secret.

$ specter-forgery deputy <TARGET> --technique alg_confusion --override

# SPECTER FORGERY constructs the forged token manually:
# 1. Fetch RSA public key PEM from JWKS endpoint
# 2. Build header: {"alg":"HS256","typ":"JWT","kid":"specter-deputy-confusion"}
# 3. Build payload with attacker-controlled claims
# 4. Sign: HMAC-SHA256(header.payload, rsa_public_key_pem)
# 5. Submit to target — accepted by vulnerable JWT verifiers
    

CVE-2025-68664 (CVSS 9.3) covers a family of JWT libraries that do not restrict algorithm types in their verification path when a symmetric key is passed.

JWKS Poisoning Techniques

JWKS (JSON Web Key Set) endpoints define which cryptographic keys are trusted for JWT signature verification. Five poisoning techniques are implemented:

$ specter-forgery jwks https://target.ai/.well-known/jwks.json --technique key_injection --override
$ specter-forgery jwks https://target.ai/.well-known/jwks.json --technique kid_confusion --override
$ specter-forgery jwks https://target.ai/.well-known/jwks.json --technique alg_confusion_jwks --override
$ specter-forgery jwks https://target.ai/.well-known/jwks.json --technique empty_keys --override
$ specter-forgery jwks https://target.ai/.well-known/jwks.json --technique rotation_poison --override
    

Cross-Vendor Transmutation

# Eight supported transmutation paths (DESTROY gate):
$ specter-forgery transmute <TARGET> --source-vendor entra      --target-vendor openai     --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor entra      --target-vendor anthropic  --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor salesforce --target-vendor workday    --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor gcp        --target-vendor azure      --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor aws        --target-vendor gcp        --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor openai     --target-vendor google_a2a --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor kya        --target-vendor lyrie_atp  --override --confirm-destroy
$ specter-forgery transmute <TARGET> --source-vendor okta       --target-vendor dify       --override --confirm-destroy
    

Report Output

Every subsystem writes findings into the evidence chain. The REPORT subsystem aggregates them into a signed ForgeReport.

# Aggregate from multiple subsystem output files:
$ specter-forgery report --survey-file survey.json --mint-file mint.json --deputy-file deputy.json --jwks-file jwks.json --output ./results

# Output: FORGE-{12hex}.json + FORGE-{12hex}.ndjson (SIEM format)
# Verify report signature:
$ specter-forgery verify FORGE-a3f7c91b2e4d.json --pub-key operator_pub.pem
    

Requirements

Python 3.11+
cryptography >= 42.0.0 (X.509 SVID generation, Ed25519 signing)
PyJWT >= 2.8.0 (RS256/ES256/HS256 JWT signing)
httpx >= 0.27.0 (async HTTP for SURVEY/DRIFT)
typer >= 0.12.0 (CLI)
rich >= 13.0.0 (terminal output)
pydantic >= 2.0.0 (models)
spiffe >= 0.2.0 (SPIFFE SVID support)
Installation: pip install red-specter-specter-forgery

Standards Coverage

CVE-2025-68664 — JWT algorithm confusion (CVSS 9.3) — operationalised in DEPUTY alg_confusion
CVE-2026-44843 — SPIFFE SVID cross-boundary trust domain confusion — operationalised in TRANSMUTE
MITRE ATT&CK T1134 — Access Token Manipulation
MITRE ATT&CK T1552 — Unsecured Credentials
MITRE ATT&CK T1078 — Valid Accounts
MITRE ATT&CK T1550 — Use Alternate Authentication Material
MITRE ATT&CK T1606 — Forge Web Credentials
MITRE ATT&CK T1111 — Multi-Factor Authentication Interception
MITRE ATLAS AML.T0012 — Valid ML Service Accounts
MITRE ATLAS AML.T0051 — LLM Prompt Injection
MITRE ATLAS AML.T0056 — LLM Meta Prompt Extraction
MITRE ATLAS AML.T0043 — Craft Adversarial Data
MITRE ATLAS AML.T0048 — Backdoor ML Model
OWASP LLM01 — Prompt Injection
OWASP LLM02 — Insecure Output Handling
OWASP LLM06 — Sensitive Information Disclosure
OWASP NHI Top 10 — Non-Human Identity risks (NHI1, NHI2, NHI5)

UNLEASHED Gate

SPECTER FORGERY uses a three-tier UNLEASHED gate. OPEN operations require no flags. INJECT operations require --override. DESTROY operations require both --override and --confirm-destroy, plus a scope file defining authorised target boundaries.

# INJECT tier example:
$ specter-forgery mint <TARGET> --identity-type oidc_token --override

# DESTROY tier example (requires scope file):
$ specter-forgery transmute <TARGET> --source-vendor gcp --target-vendor azure --override --confirm-destroy --scope-file forgery_scope.json
    

Disclaimer

SPECTER FORGERY is a controlled adversarial testing framework for authorised security testing, red team engagements, and security research with explicit written permission from system owners. Identity forgery and token manipulation operations must only be executed against systems you own or have explicit written authorisation to test. Unauthorised use constitutes offences under the Computer Misuse Act 1990, CFAA, and equivalent legislation worldwide. Every INJECT and DESTROY operation is logged, hash-chained, and Ed25519-signed for post-engagement audit review.