18Ağu
Cracking a JWT signature
I am testing an API that uses JWT for authentication. This JWT has a HS256 signature to prevent modification. I figured that if I determine the secret key used in this signature, I can create my own JWTs. How can I crack the secret key of a JWT signature?
I tried using jumbo john which does seem to have JWT support, but I can't get it to work:
$ ./john jwt.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)
There is no JWT option in john --list=format.
