From 607362f5a3c7cc5cc2ef59a0e5326a80323e8fd0 Mon Sep 17 00:00:00 2001 From: Parag Bagade Date: Tue, 23 Jun 2026 18:19:11 +0530 Subject: [PATCH 1/2] Fix typo in JWT key cracking explanation --- .../06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md b/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md index 70f2ec5..4d35334 100644 --- a/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md +++ b/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md @@ -146,7 +146,7 @@ If the JWT is signed using a HMAC-based algorithm (such as HS256), the security If the application is using off-the-shelf or open source software, the first step should be go investigate the code, and see whether there is default HMAC signing key that is used. -If there isn't a default, then it may be possible to crack guess or brute-force they key. The simplest way to do this is to use the [crackjwt.py](https://github.com/Sjord/jwtcrack) script, which simply requires the JWT and a dictionary file. +If there isn't a default, then it may be possible to crack guess or brute-force the key. The simplest way to do this is to use the [crackjwt.py](https://github.com/Sjord/jwtcrack) script, which simply requires the JWT and a dictionary file. A more powerful option is to convert the JWT into a format that can be used by [John the Ripper](https://github.com/openwall/john) using the [jwt2john.py](https://github.com/Sjord/jwtcrack/blob/master/jwt2john.py) script. John can then be used to carry out much more advanced attacks against the key. From 72e5dbdb434877bad8189aa0d4ea6b03433bbdeb Mon Sep 17 00:00:00 2001 From: Parag Bagade Date: Tue, 23 Jun 2026 18:21:59 +0530 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .../06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md b/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md index 4d35334..83ecc9f 100644 --- a/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md +++ b/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens.md @@ -146,7 +146,7 @@ If the JWT is signed using a HMAC-based algorithm (such as HS256), the security If the application is using off-the-shelf or open source software, the first step should be go investigate the code, and see whether there is default HMAC signing key that is used. -If there isn't a default, then it may be possible to crack guess or brute-force the key. The simplest way to do this is to use the [crackjwt.py](https://github.com/Sjord/jwtcrack) script, which simply requires the JWT and a dictionary file. +If there isn't a default, then it may be possible to crack, guess, or brute-force the key. The simplest way to do this is to use the [crackjwt.py](https://github.com/Sjord/jwtcrack) script, which simply requires the JWT and a dictionary file. A more powerful option is to convert the JWT into a format that can be used by [John the Ripper](https://github.com/openwall/john) using the [jwt2john.py](https://github.com/Sjord/jwtcrack/blob/master/jwt2john.py) script. John can then be used to carry out much more advanced attacks against the key.