jwtear 0.2.0 → 1.0.0.pre

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 31993d744377eadf2eb201f98dfaa66adab22cfc
4
- data.tar.gz: e672364d1ebd8177c28337bb8be696f179723f35
2
+ SHA256:
3
+ metadata.gz: 337191e2dd73a88ddc1d794bebd7056ac661bc4c7a5d5ef6cec688b47c04bffa
4
+ data.tar.gz: b7f3b4bca6142c587b66da6de5dcaed0607c629b6eb2ebe16655d846f8de6d54
5
5
  SHA512:
6
- metadata.gz: 65a8dd13d5646b5a2b22ecfb3d086f4c41496ce072301ff0b1edba69dc556d5219e0a3bd2fe0661781c1a7bb3c070d43c0fbf27c724b4de6a87e3a7a5435ebb7
7
- data.tar.gz: e4730d76bad3fc32f12392ea13ab25da5aca60f47603a12737a54d17dd219654997ddc55ad0d822ce336b8ac7ce93e76007f4737a303098a6b4ab52880d9448b
6
+ metadata.gz: 3a99ddea7d5ec592e0742fb2a266e852ff42148278f8579024ca722ae5f51b55929a71da19ec570ede487d9ee42e5f7866b578d0b14b0e51959fefe78b58ff4e
7
+ data.tar.gz: e6c65cb64a34918ace92dd57ed912a2060c862b2d855ab0e5fb7dedd4ae33c95ef8be9a4275b5f893426774cbe3803bc85f35b69c84f30022691ee2511e0893b
data/.gitignore CHANGED
@@ -1 +1,8 @@
1
- .idea/
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
@@ -0,0 +1,74 @@
1
+ # Contributor Covenant Code of Conduct
2
+
3
+ ## Our Pledge
4
+
5
+ In the interest of fostering an open and welcoming environment, we as
6
+ contributors and maintainers pledge to making participation in our project and
7
+ our community a harassment-free experience for everyone, regardless of age, body
8
+ size, disability, ethnicity, gender identity and expression, level of experience,
9
+ nationality, personal appearance, race, religion, or sexual identity and
10
+ orientation.
11
+
12
+ ## Our Standards
13
+
14
+ Examples of behavior that contributes to creating a positive environment
15
+ include:
16
+
17
+ * Using welcoming and inclusive language
18
+ * Being respectful of differing viewpoints and experiences
19
+ * Gracefully accepting constructive criticism
20
+ * Focusing on what is best for the community
21
+ * Showing empathy towards other community members
22
+
23
+ Examples of unacceptable behavior by participants include:
24
+
25
+ * The use of sexualized language or imagery and unwelcome sexual attention or
26
+ advances
27
+ * Trolling, insulting/derogatory comments, and personal or political attacks
28
+ * Public or private harassment
29
+ * Publishing others' private information, such as a physical or electronic
30
+ address, without explicit permission
31
+ * Other conduct which could reasonably be considered inappropriate in a
32
+ professional setting
33
+
34
+ ## Our Responsibilities
35
+
36
+ Project maintainers are responsible for clarifying the standards of acceptable
37
+ behavior and are expected to take appropriate and fair corrective action in
38
+ response to any instances of unacceptable behavior.
39
+
40
+ Project maintainers have the right and responsibility to remove, edit, or
41
+ reject comments, commits, code, wiki edits, issues, and other contributions
42
+ that are not aligned to this Code of Conduct, or to ban temporarily or
43
+ permanently any contributor for other behaviors that they deem inappropriate,
44
+ threatening, offensive, or harmful.
45
+
46
+ ## Scope
47
+
48
+ This Code of Conduct applies both within project spaces and in public spaces
49
+ when an individual is representing the project or its community. Examples of
50
+ representing a project or community include using an official project e-mail
51
+ address, posting via an official social media account, or acting as an appointed
52
+ representative at an online or offline event. Representation of a project may be
53
+ further defined and clarified by project maintainers.
54
+
55
+ ## Enforcement
56
+
57
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
+ reported by contacting the project team at king.sabri@gmail.com. All
59
+ complaints will be reviewed and investigated and will result in a response that
60
+ is deemed necessary and appropriate to the circumstances. The project team is
61
+ obligated to maintain confidentiality with regard to the reporter of an incident.
62
+ Further details of specific enforcement policies may be posted separately.
63
+
64
+ Project maintainers who do not follow or enforce the Code of Conduct in good
65
+ faith may face temporary or permanent repercussions as determined by other
66
+ members of the project's leadership.
67
+
68
+ ## Attribution
69
+
70
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71
+ available at [http://contributor-covenant.org/version/1/4][version]
72
+
73
+ [homepage]: http://contributor-covenant.org
74
+ [version]: http://contributor-covenant.org/version/1/4/
data/Gemfile CHANGED
@@ -1,6 +1,4 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
4
-
5
3
  # Specify your gem's dependencies in jwtear.gemspec
6
4
  gemspec
@@ -0,0 +1,71 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ jwtear (1.0.0)
5
+ gli (~> 2.19, >= 2.19.0)
6
+ json-jwt (~> 1.10, >= 1.10.2)
7
+ jwe (~> 0.4.0)
8
+ tty-markdown (~> 0.6.0)
9
+ tty-pager (~> 0.12.1)
10
+
11
+ GEM
12
+ remote: https://rubygems.org/
13
+ specs:
14
+ activesupport (6.0.0)
15
+ concurrent-ruby (~> 1.0, >= 1.0.2)
16
+ i18n (>= 0.7, < 2)
17
+ minitest (~> 5.1)
18
+ tzinfo (~> 1.1)
19
+ zeitwerk (~> 2.1, >= 2.1.8)
20
+ aes_key_wrap (1.0.1)
21
+ bindata (2.4.4)
22
+ concurrent-ruby (1.1.5)
23
+ equatable (0.6.1)
24
+ gli (2.19.0)
25
+ i18n (1.7.0)
26
+ concurrent-ruby (~> 1.0)
27
+ json-jwt (1.10.2)
28
+ activesupport (>= 4.2)
29
+ aes_key_wrap
30
+ bindata
31
+ jwe (0.4.0)
32
+ kramdown (1.16.2)
33
+ minitest (5.12.2)
34
+ pastel (0.7.3)
35
+ equatable (~> 0.6)
36
+ tty-color (~> 0.5)
37
+ rouge (3.11.1)
38
+ strings (0.1.6)
39
+ strings-ansi (~> 0.1)
40
+ unicode-display_width (~> 1.5)
41
+ unicode_utils (~> 1.4)
42
+ strings-ansi (0.1.0)
43
+ thread_safe (0.3.6)
44
+ tty-color (0.5.0)
45
+ tty-markdown (0.6.0)
46
+ kramdown (~> 1.16.2)
47
+ pastel (~> 0.7.2)
48
+ rouge (~> 3.3)
49
+ strings (~> 0.1.4)
50
+ tty-color (~> 0.4)
51
+ tty-screen (~> 0.6)
52
+ tty-pager (0.12.1)
53
+ strings (~> 0.1.4)
54
+ tty-screen (~> 0.6)
55
+ tty-which (~> 0.4)
56
+ tty-screen (0.7.0)
57
+ tty-which (0.4.1)
58
+ tzinfo (1.2.5)
59
+ thread_safe (~> 0.1)
60
+ unicode-display_width (1.6.0)
61
+ unicode_utils (1.4.0)
62
+ zeitwerk (2.1.10)
63
+
64
+ PLATFORMS
65
+ ruby
66
+
67
+ DEPENDENCIES
68
+ jwtear!
69
+
70
+ BUNDLED WITH
71
+ 2.0.2
data/README.md CHANGED
@@ -1,7 +1,19 @@
1
1
  # Jwtear
2
- Command-line tool and library to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.
2
+ A modular Command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.
3
3
 
4
- During working on exploiting some JWT-based application, I needed some tool to make parsing and manipulating JWT token easier.
4
+ ## Features
5
+ - Complete modularity.
6
+ - All commands are plugins.
7
+ - Easy to add a new plugins.
8
+ - Support JWS and JWE tokens.
9
+ - Easy interface for plugins. (follow the template example)
10
+
11
+ ### Available plugins
12
+ - Parse: parses jwt tokens.
13
+ - jws: manipulate and generate JWS tokens.
14
+ - jwe: manipulate and generate JWE tokens.
15
+ - bruteforce: brutefocing JWS signing key
16
+ - wiki: contains information about JWT, attacks ideas, references.
5
17
 
6
18
  ## Installation
7
19
 
@@ -11,8 +23,8 @@ install it yourself as:
11
23
 
12
24
  ## Usage
13
25
 
26
+ - Show the main menu
14
27
  ```
15
-
16
28
  888888 888 888 88888888888
17
29
  "88b 888 o 888 888
18
30
  888 888 d8b 888 888
@@ -21,34 +33,102 @@ install it yourself as:
21
33
  888 88888P Y88888 888 88888888 .d888888 888
22
34
  88P 8888P Y8888 888 Y8b. 888 888 888
23
35
  888 888P Y888 888 "Y8888 "Y888888 888
24
- .d88P v0.1.2
36
+ .d88P v1.0.0
25
37
  .d88P"
26
38
  888P"
27
- JWTear - Parse, create and manipulate JWT tokens.
28
-
29
- Help menu:
30
- -p, --parse JWT_TOKEN Parse JWT token
31
- -t, --generate-token Generate JWT token.
32
- -s, --generate-sig Generate JWT signature.
33
- -H, --header HEADER JWT header (JSON format). (required for generate-token and generate-sig)
34
- eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]
35
- -P, --payload PAYLOAD JWT payload (JSON format). (required for generate-token and generate-sig)
36
- eg. {"login":"admin"}
37
- -g, --alg ALGORITHM Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)
38
- Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]
39
- -k, --key SECRET Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)
40
- eg. P@ssw0rd | eg. public_key.pem
41
- -h, --help Show this help message
42
-
43
- Usage:
44
- jwtear <OPTIONS>
45
-
46
- Example:
47
- jwtear --generate-token --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
48
- jwtear --generate-sig --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
49
- jwtear --parse 'eyJwI...6IfJ9.kxrMS...MjAMm.zEybN...TU2Njk3ZmE3OA'
39
+ NAME
40
+ jwtear - Parse, create and manipulate JWT tokens.
41
+
42
+ SYNOPSIS
43
+ jwtear [global options] command [command options] [arguments...]
44
+
45
+ GLOBAL OPTIONS
46
+ -v, --version - Check current and latest version
47
+ -h, --help - Show this help message
48
+
49
+ COMMANDS
50
+ help - Shows a list of commands or help for one command
51
+ bruteforce, bfs - plugin to offline bruteforce and crack token's signature.
52
+ jws, s - Generate signature-based JWT (JWS) token.
53
+ jwe, e - Generate encryption-based JWT (JWE) token.
54
+ parse - Parse JWT token (accepts JWS and JWE formats).
55
+ wiki, w - A JWT wiki for hackers.
56
+ ```
57
+
58
+ - Show a subcommand help, use `-h COMMAND`
50
59
 
51
60
  ```
61
+ $jwtear -h jws
62
+
63
+ NAME
64
+ jws - Generate signature-based JWT (JWS) token.
65
+
66
+ SYNOPSIS
67
+ jwtear [global options] jws [command options]
68
+
69
+ DESCRIPTION
70
+ Generate JWS and JWE tokens.
71
+
72
+ COMMAND OPTIONS
73
+ -h, --header=JSON - JWT header (JSON format). eg. {"typ":"JWT","alg":"HS256"}. Run 'jwtear gen -l' for supported algorithms. (required, default: none)
74
+ -p, --payload=JSON - JWT payload (JSON format). eg. {"login":"admin"} (required, default: none)
75
+ -k, --key=PASSWORD|PUB_KEY_FILE - Key as a password string or a file public key. eg. P@ssw0rd | eg. public_key.pem (default: none)
76
+ ```
77
+
78
+ - Use a plugin
79
+
80
+ plugins are defined as subcommands. Each subcommand may have one or more argument and/or switches.
81
+ ```
82
+ $ jwtear parse -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.J8SS8VKlI2yV47C4BtfYukWPx_2welF34Mz7l-MNmkE
83
+ $ jwtear jws -h '{"alg":"HS256","typ":"JWT"}' -p '{"user":"admin"}' -k p@ss0rd123
84
+ $ jwtear bruteforce -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list -v
85
+ ```
86
+
87
+ ## Add plugin
88
+ To add a new plugin, create a new ruby file under `plugins` directory with the following structure
89
+ ```ruby
90
+ module JWTear
91
+ module CLI
92
+ extend GLI::App
93
+ extend JWTear::Helpers::Extensions::Print
94
+ extend JWTear::Helpers::Utils
95
+
96
+ desc "Plugin short description"
97
+ long_desc "Plugin long description"
98
+ command [:template, :pt] do |c|
99
+ c.action do |global, options, arguments|
100
+ print_h1 "Plugin template"
101
+ print_good "Hi, I'm a template."
102
+ template = TemplatePlugin.new
103
+ end
104
+ end
105
+ end
106
+
107
+ module Plugin
108
+ class TemplatePlugin
109
+ include JWTear::Helpers::Extensions::Print
110
+ include JWTear::Helpers::Utils
111
+
112
+ def initialize
113
+ check_dependencies
114
+ # ..code...
115
+ end
116
+
117
+ # ..code...
118
+ end
119
+ end
120
+ end
121
+ ```
122
+ Instead of including all dependencies for each plugin into jwtear, you can add these dependencies as a hash to `check_dependencies` method which will require the library and throw a gentle error to the user to install any missing gems.
123
+
124
+ The hash _key_ is the gem name to install, the hash _value_ is the `require` string
125
+ ```ruby
126
+ deps = {'async-io' => 'async/ip'}
127
+ check_dependencies(deps)
128
+ ```
129
+ Once the missing dependencies are installed by the user, the `check_dependencies` will require them once the plugin class initiated.
130
+
131
+
52
132
 
53
133
  ## Contributing
54
134
 
data/bin/jwtear CHANGED
@@ -4,128 +4,53 @@
4
4
  #
5
5
  # @Author: KING SABRI - @KINGSABRI
6
6
  #
7
- lib = File.dirname(__FILE__) + '/../lib'
8
- mod = File.dirname(__FILE__) + '/../modules'
7
+ lib = File.expand_path(File.join(File.dirname(__FILE__), ['/', '..', 'lib']))
9
8
  if File.directory?(lib)
10
9
  unless $:.include?(lib)
11
10
  $:.unshift(lib)
12
- $:.unshift(mod)
13
11
  end
14
12
  end
15
13
  require 'jwtear'
16
- require 'optparse'
17
-
18
-
19
- options = {}
20
- option_parser = OptionParser.new
21
- option_parser.banner = "#{"JWTear".bold} - Parse, create and manipulate JWT tokens."
22
- option_parser.set_summary_indent ' '
23
- option_parser.separator "\nHelp menu:".underline
24
- option_parser.on('-p', '--parse JWT_TOKEN' , 'Parse JWT token') {|v| options[:parse] = v}
25
- option_parser.on('-t', '--generate-token', 'Generate JWT token.') {|v| options[:generate_token] = v}
26
- option_parser.on('-s', '--generate-sig', 'Generate JWT signature.') {|v| options[:generate_sig] = v}
27
- option_parser.on('-H', '--header HEADER',
28
- 'JWT header (JSON format). (required for generate-token and generate-sig)',
29
- ' eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]'
30
- ) {|v| options[:header] = v}
31
- option_parser.on('-P', '--payload PAYLOAD' ,
32
- 'JWT payload (JSON format). (required for generate-token and generate-sig)',
33
- ' eg. {"login":"admin"}'
34
- ) {|v| options[:payload] = v}
35
- option_parser.on('-g', '--alg ALGORITHM',
36
- 'Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)',
37
- ' Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]'
38
- ) {|v| options[:alg] = v}
39
- option_parser.on('-k', '--key SECRET',
40
- 'Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)',
41
- ' eg. P@ssw0rd | eg. public_key.pem'
42
- ) {|v| options[:key] = v}
43
- # option_parser.on( '-m MODULE', '--module MODULE',
44
- # "Use module - WIP",
45
- # "Use it without argument to list all modules with its usage"
46
- # ) {|v| options[:key] = v}
47
- option_parser.on('-v', '--version', 'Check current and latest version') {|v| options[:version] = v}
48
- option_parser.on('-h', '--help', 'Show this help message') {puts JWTear::Utils.banner , option_parser; exit!}
49
- option_parser.on_tail "\nUsage:\n".underline + "jwtear <OPTIONS>"
50
- option_parser.on_tail "\nExample:".underline
51
- option_parser.on_tail %Q{jwtear --generate-token --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
52
- option_parser.on_tail %Q{jwtear --generate-sig --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
53
- option_parser.on_tail %Q{jwtear --parse #{"'".bold}eyJwI...6IfJ9#{'.'.bold}kxrMS...MjAMm#{'.'.bold}zEybN...TU2Njk3ZmE3OA#{"'".bold}\n\n}
54
-
55
- begin
56
- option_parser.parse!
57
- include JWTear::Utils
58
- case
59
- when options[:version]
60
- puts "-[#{'Current version'.green}]----"
61
- puts JWTear::VERSION
62
- if latest_version == JWTear::VERSION
63
- puts "[+] ".dark_green + "You have latest version."
14
+ require 'gli'
15
+
16
+ module JWTear
17
+ module CLI
18
+ extend GLI::App
19
+ extend JWTear::Helpers::Utils
20
+ puts banner
21
+ program_desc 'Parse, create and manipulate JWT tokens.'
22
+
23
+ # CLI settings
24
+ ENV['GLI_DEBUG'] = "true" # Uncomment this line for debugging
25
+ autocomplete_commands true
26
+ subcommand_option_handling :normal
27
+ arguments :strict
28
+ sort_help :manually
29
+ wrap_help_text :verbatim #:to_terminal
30
+ synopsis_format :full #:compact
31
+
32
+ desc 'Check current and latest version'
33
+ switch [:v, :version], negatable: false
34
+ @version = JWTear::VERSION
35
+
36
+ desc 'Show this help message'
37
+ switch [:h, :help], negatable: false
38
+
39
+ dir = File.expand_path(File.join(File.dirname(__FILE__), ['..', 'plugins']))
40
+ commands_from dir if Dir.exist? dir
41
+
42
+ on_error do |exception|
43
+ case exception
44
+ when GLI::MissingRequiredArgumentsException
45
+ print_error "Option #{exception.message}"
46
+ exit!
64
47
  else
65
- puts "-[#{'Latest version'.green}]----"
66
- puts latest_version
67
- puts "[+] ".dark_green + "Please update. (gem update jwtear)"
48
+ print_error "Unknown Exception:"
49
+ print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
50
+ puts exception.full_message
51
+ exit!
68
52
  end
69
- # parse
70
- when options[:parse]
71
- jwt = JWTear::JWT.new(options[:parse])
72
- jwt_parsed = jwt.parse
73
- puts "-[#{'Hash'.green}]----"
74
- puts jwt_parsed
75
- puts "-[#{'JSON'.green}]----"
76
- puts jwt.json
77
- puts ''
78
- puts "[+] ".dark_green + "Header (envelope segment):".bold.underline
79
- jwt.header.each {|key, value| puts " #{'-'.bold} #{key}: #{value}"}
80
- puts "[+] ".dark_green + "Payload (claim segment):".bold.underline
81
- jwt.payload.each {|key, value| puts " #{'-'.bold} #{key}: #{value}"}
82
- puts "[+] ".dark_green + "Signature (envelope segment) - encoded:".bold.underline
83
- puts encode(jwt.signature) || '---[ no signature ]---'
84
-
85
- # checking missing for generate_token
86
- when options[:generate_token] && (options[:header] || options[:payload] || options[:key]).nil?
87
- puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--alg/--key'"
88
-
89
- # checking missing for generate_sig
90
- when options[:generate_sig] && (options[:header] || options[:payload] || options[:key]).nil?
91
- puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--key'"
92
-
93
- when options[:generate_token]
94
- jwt = JWTear::JWT.new
95
- jwt.header = options[:header]
96
- jwt.payload = options[:payload]
97
- jwt.alg = options[:alg]
98
- if options[:key]
99
- jwt.key = File.file?(options[:key])? File.read(options[:key]) : options[:key] # read key as a string or from file(eg. pub_key.pem)
100
- end
101
- token = jwt.generate_token
102
- puts "-[#{'Hash'.dark_green}]----"
103
- puts jwt.hash
104
- puts "-[#{'JSON'.dark_green}]----"
105
- puts jwt.json
106
- puts ''
107
- puts "-[#{'Token'.green}]----"
108
- puts token
109
-
110
- when options[:generate_sig]
111
- jwt = JWTear::JWT.new
112
- data_encoded = encode_header_payload(options[:header], options[:payload])
113
- puts "-[#{'Signature'.green}]----"
114
- puts encode(jwt.generate_sig(data_encoded, options[:alg], options[:key]).signature)
115
-
116
- else
117
- puts JWTear::Utils.banner
118
- puts option_parser
53
+ end
119
54
  end
120
- rescue OptionParser::MissingArgument => e
121
- e.args.each {|arg| puts '[!] '.red + "#{e.reason.capitalize} for '#{arg}' option."}
122
- puts option_parser
123
- rescue OptionParser::InvalidOption => e
124
- puts '[!] '.red + "#{e}"
125
- puts option_parser
126
- rescue Exception => e
127
- puts "[x] ".red + "Unknown Exception: option parser"
128
- puts '[!] '.yellow + 'Please report the issue at: https://github.com/KINGSABRI/jwtear/issues'.underline
129
- puts e.backtrace_locations
130
- puts e
131
55
  end
56
+ exit JWTear::CLI.run(ARGV)