Documentation & Learning Resources
Back to Tool

Secret Bruteforcer Guide

Advanced Tool Updated: May 2024

The Secret Bruteforcer tool is designed to test JWT tokens against common secrets and custom wordlists. This is essential for identifying weak JWT signing keys that attackers could easily guess or brute-force.

What is JWT Secret Bruteforcing?

JWT tokens signed with HMAC algorithms (HS256, HS384, HS512) use a shared secret key. If this secret is weak or commonly used, attackers can discover it through brute-force attacks. Once the secret is known, attackers can:

  • Forge new JWT tokens with any claims
  • Modify existing tokens to escalate privileges
  • Impersonate any user in the system
  • Bypass authentication and authorization controls
Important: Only use this tool on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

How to Use the Secret Bruteforcer

Step 1: Navigate to the Tool

Click on the "⚡ Secret Bruteforce" tab in the main JWTAuditor interface.

Step 2: Enter Your JWT Token

Paste the JWT token you want to test in the "JWT Token for Bruteforce" field. The tool will automatically validate the token format.

Tip: Only HMAC-signed tokens (HS256, HS384, HS512) can be brute-forced. RSA and ECDSA tokens use public/private key pairs and cannot be cracked this way.

Step 3: Choose Your Bruteforce Method

Select one of the available methods:

JWT Secrets List

Uses a curated list of common JWT secrets including:

  • Common passwords (secret, password, 123456, etc.)
  • JWT-specific secrets (jwtsecret, jwt-key, etc.)
  • Default application secrets
  • Development and testing secrets

Best for: Quick testing against known weak secrets

Custom Wordlist

Allows you to use your own wordlist for testing:

  • Enter secrets manually (one per line)
  • Upload a wordlist file (.txt)
  • Target application-specific secrets
  • Use company-related terms

Best for: Targeted testing with context-specific secrets

Step 4: Start the Bruteforce Attack

Click "Start Bruteforce" to begin the attack. The tool will:

  1. Validate the JWT token format
  2. Check if the algorithm is supported (HS256, HS384, HS512)
  3. Test each secret from your chosen wordlist
  4. Display real-time progress
  5. Stop immediately when a valid secret is found

Step 5: Review Results

If a secret is found, the tool will display:

  • The discovered secret key
  • Confirmation that the signature is valid
  • Time taken to find the secret

Technical Implementation

Performance Optimization

JWTAuditor's Secret Bruteforcer is optimized for performance:

  • Web Workers: Runs in a separate thread to avoid blocking the UI
  • Web Crypto API: Uses native browser cryptographic functions for fast HMAC computation
  • Batch Processing: Tests multiple secrets before updating progress
  • Early Termination: Stops immediately when a valid secret is found

Supported Algorithms

The tool supports all HMAC-based JWT algorithms:

  • HS256: HMAC with SHA-256
  • HS384: HMAC with SHA-384
  • HS512: HMAC with SHA-512

Limitations and Constraints

Supported Algorithms

The Secret Bruteforcer works with symmetric HMAC algorithms:

  • HS256 - HMAC with SHA-256
  • HS384 - HMAC with SHA-384
  • HS512 - HMAC with SHA-512

These algorithms use a shared secret key that can be discovered through brute-force attacks.

Unsupported Algorithms

The following algorithms cannot be bruteforced using this method:

  • RS256/384/512 - RSA Signature with SHA-256/384/512
  • ES256/384/512 - ECDSA Signature with SHA-256/384/512
  • PS256/384/512 - RSA-PSS Signature with SHA-256/384/512
  • EdDSA - Edwards-Curve Digital Signature Algorithm

These use asymmetric cryptography with public/private key pairs where the private key cannot be derived from the public key.

Why Asymmetric Algorithms Are Secure:
  • Tokens are signed with a private key that is kept secret
  • Tokens are verified with a public key that can be widely distributed
  • The private key cannot be derived from the public key
  • Security is based on computationally infeasible mathematical problems

Alternative Attack Vectors: For asymmetric algorithms, consider testing for algorithm confusion attacks, key injection vulnerabilities, or weak key generation instead.

Common Weak Secrets

Here are some examples of commonly used weak secrets that this tool can detect:

Generic Weak Secrets

secret
password
123456
admin
test
jwt
key

JWT-Specific Secrets

jwtsecret
jwt-secret
jwt_secret
jwtkey
jwt-key
your-256-bit-secret
mysecretkey

Development Secrets

dev
development
testing
staging
demo
localhost
supersecret

Creating Effective Wordlists

Application-Specific Wordlists

For targeted testing, create wordlists that include:

  • Company names: acme, mycompany, corp
  • Application names: myapp, portal, api
  • Domain names: example.com, mysite.org
  • Product names: product1, service, platform

Common Patterns

Include variations of common patterns:

  • With numbers: secret123, password1, key2024
  • With special characters: secret!, password@, key#
  • Case variations: Secret, PASSWORD, MyKey
  • With underscores/hyphens: secret_key, my-password

External Wordlists

You can also use popular wordlists such as:

  • SecLists: JWT-specific wordlists
  • RockYou: Common passwords
  • Custom wordlists: Generated based on target reconnaissance

Best Practices

For Penetration Testers

  • Start with the built-in JWT secrets list for quick wins
  • Create custom wordlists based on reconnaissance data
  • Include company-specific terms and variations
  • Test during off-peak hours to avoid detection
  • Document all discovered secrets for the final report

For Developers

  • Use this tool to test your own JWT implementations
  • Ensure your JWT secrets are not in common wordlists
  • Use cryptographically secure random secrets
  • Implement proper secret rotation policies
  • Consider using asymmetric algorithms (RS256) for better security

For Security Teams

  • Include JWT secret testing in security assessments
  • Create organization-specific wordlists
  • Test both internal and external applications
  • Monitor for weak secrets in code repositories
  • Establish secure secret management practices

Troubleshooting

Common Issues

Q: The tool says "Algorithm not supported"

A: The Secret Bruteforcer only works with HMAC algorithms (HS256, HS384, HS512). RSA and ECDSA algorithms use public/private key pairs and cannot be brute-forced with this method.

Q: The bruteforce is taking too long

A: Large wordlists can take time to process. Consider using a smaller, more targeted wordlist first. You can also stop the process at any time using the "Stop" button.

Q: My custom wordlist isn't working

A: Ensure your wordlist has one secret per line with no extra spaces. The tool will filter out empty lines automatically.

Q: The tool found a secret but I can't verify it

A: Use the JWT Editor tool to re-sign the token with the discovered secret and verify it works in your target application.

Security Considerations

Privacy: All bruteforce operations are performed client-side in your browser. No tokens or secrets are transmitted to any server.

Important security considerations:

  • Legal compliance: Only test systems you own or have permission to test
  • Rate limiting: Some applications may detect and block brute-force attempts
  • Logging: Your testing activities may be logged by the target application
  • Network traffic: While processing is local, accessing the application will generate network requests

Related Tools

Use these JWTAuditor tools in combination for comprehensive JWT testing:

Decoder & Analyzer

Decode tokens and identify potential vulnerabilities before bruteforcing

JWT Editor

Modify and re-sign tokens using discovered secrets

JWT Generator

Create new tokens from scratch using discovered secrets