From 89803141737c89fa33f721c96f9cebdfcc884c89 Mon Sep 17 00:00:00 2001
From: tera-si <cheuklunterence@gmail.com>
Date: Mon, 2 Feb 2026 18:57:53 +0000
Subject: [PATCH] Fix weak password checks not running in scan mode

---
 jwt_tool.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/jwt_tool.py b/jwt_tool.py
index ce99a7e..f349110 100755
--- a/jwt_tool.py
+++ b/jwt_tool.py
@@ -1525,11 +1525,10 @@ def scanModePlaybook():
         cprintc("External service interactions not tested - enter listener URL into 'jwtconf.ini' to try this option", "red")
     # Accept Common HMAC secret (as alterative signature)
     with open(config['input']['wordlist'], "r", encoding='utf-8', errors='ignore') as commonPassList:
-        commonPass = commonPassList.readline().rstrip()
-        while commonPass:
+        for commonPass in commonPassList:
+            commonPass = commonPass.rstrip()
             newSig, newContents = signTokenHS(headDict, paylDict, commonPass, 256)
             jwtOut(newContents+"."+newSig, "Checking for alternative accepted HMAC signatures, based on common passwords. Testing: "+commonPass+"", "This token can exploit a hard-coded common password in the config")
-            commonPass = commonPassList.readline().rstrip()
     # SCAN COMPLETE
     cprintc("Scanning mode completed: review the above results.\n", "magenta")
     # Further manual testing: check expired token, brute key, find Public Key, run other scans