JSON Web Tokens

JWT Tool

JWT Tool is great for finding issues in JSON Web Tokens. It will help to identify the following issues:

• JWT uses HS256 signing algorithm

• JWT contains sensitive data

• JWT does not expire

• JWT permits a NULL signature

• RS256 to HS256

python jwt_tool.py <JWT> -X a

• https://github.com/ticarpi/jwt_tool/

Cracking with Hashcat

Use the following command to crack JWTs.

hashcat.exe -m 16500 /JWT.txt rockyou.txt --backend-ignore-cuda

JWT.txt should contain your JWT.

Various password wordlists can be used. rockyou.txt is one example.

• https://hashcat.net/hashcat/