Auto-detect algorithm

brute-jwt.py

@@ -1,19 +1,25 @@
 #!/usr/bin/python
 
-import jwt;
+import base64
+import json
+import jwt
 from termcolor import colored
 
 print colored("Script to brute-force JWT secret token",'white')
 encoded = raw_input("Enter encoded payload: ")
 
+header_base64, remainder = encoded.split(b'.', 1)
+header_json = base64.b64decode(header_base64)
+algorithm = json.loads(header_json.decode('utf-8')).get('alg')
+print colored('Detected algorithm [' + algorithm + ']','green')
 
 with open('secret.txt') as secrets:
     for secret in secrets:
         try:
-            payload = jwt.decode(encoded, secret.rstrip(), algorithms=['HS256'])
+            payload = jwt.decode(encoded, secret.rstrip(), algorithm)
             print colored('Success! Token decoded with ....[' + secret.rstrip() + ']','green')
             break
         except jwt.InvalidTokenError:
             print colored('Invalid Token .... [' + secret.rstrip() + ']','red')
         except jwt.ExpiredSignatureError:
-            print colored('Token Expired ....[' + secret.rstrip() + ']','red')
+            print colored('Token Expired ....[' + secret.rstrip() + ']','red')