Simple HS256 JWT token brute force cracker.
Effective only to crack JWT tokens with weak secrets.
Recommendation: Use strong long secrets or RS256 tokens.
Install
With npm:
npm install --global jwt-cracker
Usage
From command line:
jwt-cracker <token> [<alphabet>] [<maxLength>]
- token: the full HS256 JWT token string to crack
- alphabet: the alphabet to use for the brute force (default: "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789")
- maxLength: the max length of the string generated during the brute force (default: 12)
Requirements
This script requires Node.js version 6.0.0 or higher
Example
Cracking the default jwt.io example:
jwt-cracker "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ" "abcdefghijklmnopqrstuwxyz" 6