Skip to main content
Glama
mohdhaji87

JWT Auditor MCP Server

by mohdhaji87
OverviewSchemaRelated ServersScoreDiscussions
Python

jwt_bruteforce

Bruteforce HS256/HS384/HS512 JWT secrets using common or custom wordlists to test token security and identify weak keys.

Instructions

Bruteforce the secret for HS256/HS384/HS512 JWTs using a common wordlist or a custom one.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
tokenYes
wordlistNo

Implementation Reference

  • server.py:93-129 (handler)
    The jwt_bruteforce tool handler, decorated with @server.tool() for registration. Implements JWT secret bruteforce for HS256/HS384/HS512 algorithms using a provided or default wordlist of common secrets. Parses the token, recomputes signatures with each secret, and checks for match.
    @server.tool()
def jwt_bruteforce(token: str, wordlist: Optional[list] = None) -> dict:
    """Bruteforce the secret for HS256/HS384/HS512 JWTs using a common wordlist or a custom one."""
    import hmac
    import hashlib
    import base64
    import json
    import time
    # Default wordlist (short for demo; in production, use a large list)
    common_secrets = [
        'secret', 'password', '123456', 'admin', 'jwtsecret', 'letmein', 'qwerty', 'iloveyou', 'welcome', 'monkey',
        'abc123', '1q2w3e4r', 'test', 'changeme', 'default', 'passw0rd', 'supersecret', 'trustno1', 'hunter2', 'root'
    ]
    secrets = wordlist if wordlist else common_secrets
    try:
        header_b64, payload_b64, signature_b64 = token.split(".")
        def b64decode(data):
            rem = len(data) % 4
            if rem:
                data += '=' * (4 - rem)
            return base64.urlsafe_b64decode(data.encode())
        def b64encode(data):
            return base64.urlsafe_b64encode(data).rstrip(b'=').decode()
        header = json.loads(b64decode(header_b64))
        alg = header.get("alg", "").upper()
        if alg not in ["HS256", "HS384", "HS512"]:
            return {"error": f"Bruteforce only supported for HS256/HS384/HS512, got {alg}"}
        hash_alg = {"HS256": hashlib.sha256, "HS384": hashlib.sha384, "HS512": hashlib.sha512}[alg]
        signing_input = f"{header_b64}.{payload_b64}".encode()
        for secret in secrets:
            sig = hmac.new(secret.encode(), signing_input, hash_alg).digest()
            sig_b64 = b64encode(sig)
            if sig_b64 == signature_b64:
                return {"result": "success", "secret": secret}
        return {"result": "not found", "tested": len(secrets)}
    except Exception as e:
        return {"error": str(e)}
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/mohdhaji87/JWTAuditorMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server