Skip to content
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

67 lines (47 sloc) 1.46 KB
from jwt import decode, InvalidTokenError, DecodeError, get_unverified_header
import sys
def is_jwt(jwt):
parts = jwt.split(".")
if len(parts) != 3:
return False
return True
def read_jwt(jwt):
if not is_jwt(jwt):
with open(jwt) as fp:
jwt =
if not is_jwt(jwt):
raise RuntimeError("Parameter %s is not a valid JWT" % jwt)
return jwt
def crack_jwt(jwt, dictionary):
with open(dictionary) as fp:
for secret in fp:
secret = secret.rstrip()
decode(jwt, secret, algorithms=["HS256"])
return secret
except DecodeError:
# Signature verification failed
except InvalidTokenError:
# Signature correct, something else failed
return secret
def is_hs256(jwt):
header = get_unverified_header(jwt)
return header["alg"] == "HS256"
def main(argv):
if len(argv) != 3:
print("Usage: %s [JWT or JWT filename] [dictionary filename] " % argv[0])
jwt = read_jwt(argv[1])
if not is_hs256(jwt):
print("Error: This JWT does not use the HS256 signing algorithm")
print("Cracking JWT %s" % jwt)
result = crack_jwt(jwt, argv[2])
if result:
print("Found secret key:", result)
print("Key not found")
if __name__ == "__main__":
You can’t perform that action at this time.