jwtear 0.2.0 → 1.0.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
- SHA1:
3
- metadata.gz: 31993d744377eadf2eb201f98dfaa66adab22cfc
4
- data.tar.gz: e672364d1ebd8177c28337bb8be696f179723f35
2
+ SHA256:
3
+ metadata.gz: 337191e2dd73a88ddc1d794bebd7056ac661bc4c7a5d5ef6cec688b47c04bffa
4
+ data.tar.gz: b7f3b4bca6142c587b66da6de5dcaed0607c629b6eb2ebe16655d846f8de6d54
5
5
  SHA512:
6
- metadata.gz: 65a8dd13d5646b5a2b22ecfb3d086f4c41496ce072301ff0b1edba69dc556d5219e0a3bd2fe0661781c1a7bb3c070d43c0fbf27c724b4de6a87e3a7a5435ebb7
7
- data.tar.gz: e4730d76bad3fc32f12392ea13ab25da5aca60f47603a12737a54d17dd219654997ddc55ad0d822ce336b8ac7ce93e76007f4737a303098a6b4ab52880d9448b
6
+ metadata.gz: 3a99ddea7d5ec592e0742fb2a266e852ff42148278f8579024ca722ae5f51b55929a71da19ec570ede487d9ee42e5f7866b578d0b14b0e51959fefe78b58ff4e
7
+ data.tar.gz: e6c65cb64a34918ace92dd57ed912a2060c862b2d855ab0e5fb7dedd4ae33c95ef8be9a4275b5f893426774cbe3803bc85f35b69c84f30022691ee2511e0893b
data/.gitignore CHANGED
@@ -1 +1,8 @@
1
- .idea/
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
@@ -0,0 +1,74 @@
1
+ # Contributor Covenant Code of Conduct
2
+
3
+ ## Our Pledge
4
+
5
+ In the interest of fostering an open and welcoming environment, we as
6
+ contributors and maintainers pledge to making participation in our project and
7
+ our community a harassment-free experience for everyone, regardless of age, body
8
+ size, disability, ethnicity, gender identity and expression, level of experience,
9
+ nationality, personal appearance, race, religion, or sexual identity and
10
+ orientation.
11
+
12
+ ## Our Standards
13
+
14
+ Examples of behavior that contributes to creating a positive environment
15
+ include:
16
+
17
+ * Using welcoming and inclusive language
18
+ * Being respectful of differing viewpoints and experiences
19
+ * Gracefully accepting constructive criticism
20
+ * Focusing on what is best for the community
21
+ * Showing empathy towards other community members
22
+
23
+ Examples of unacceptable behavior by participants include:
24
+
25
+ * The use of sexualized language or imagery and unwelcome sexual attention or
26
+ advances
27
+ * Trolling, insulting/derogatory comments, and personal or political attacks
28
+ * Public or private harassment
29
+ * Publishing others' private information, such as a physical or electronic
30
+ address, without explicit permission
31
+ * Other conduct which could reasonably be considered inappropriate in a
32
+ professional setting
33
+
34
+ ## Our Responsibilities
35
+
36
+ Project maintainers are responsible for clarifying the standards of acceptable
37
+ behavior and are expected to take appropriate and fair corrective action in
38
+ response to any instances of unacceptable behavior.
39
+
40
+ Project maintainers have the right and responsibility to remove, edit, or
41
+ reject comments, commits, code, wiki edits, issues, and other contributions
42
+ that are not aligned to this Code of Conduct, or to ban temporarily or
43
+ permanently any contributor for other behaviors that they deem inappropriate,
44
+ threatening, offensive, or harmful.
45
+
46
+ ## Scope
47
+
48
+ This Code of Conduct applies both within project spaces and in public spaces
49
+ when an individual is representing the project or its community. Examples of
50
+ representing a project or community include using an official project e-mail
51
+ address, posting via an official social media account, or acting as an appointed
52
+ representative at an online or offline event. Representation of a project may be
53
+ further defined and clarified by project maintainers.
54
+
55
+ ## Enforcement
56
+
57
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
+ reported by contacting the project team at king.sabri@gmail.com. All
59
+ complaints will be reviewed and investigated and will result in a response that
60
+ is deemed necessary and appropriate to the circumstances. The project team is
61
+ obligated to maintain confidentiality with regard to the reporter of an incident.
62
+ Further details of specific enforcement policies may be posted separately.
63
+
64
+ Project maintainers who do not follow or enforce the Code of Conduct in good
65
+ faith may face temporary or permanent repercussions as determined by other
66
+ members of the project's leadership.
67
+
68
+ ## Attribution
69
+
70
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71
+ available at [http://contributor-covenant.org/version/1/4][version]
72
+
73
+ [homepage]: http://contributor-covenant.org
74
+ [version]: http://contributor-covenant.org/version/1/4/
data/Gemfile CHANGED
@@ -1,6 +1,4 @@
1
1
  source "https://rubygems.org"
2
2
 
3
- git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
4
-
5
3
  # Specify your gem's dependencies in jwtear.gemspec
6
4
  gemspec
@@ -0,0 +1,71 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ jwtear (1.0.0)
5
+ gli (~> 2.19, >= 2.19.0)
6
+ json-jwt (~> 1.10, >= 1.10.2)
7
+ jwe (~> 0.4.0)
8
+ tty-markdown (~> 0.6.0)
9
+ tty-pager (~> 0.12.1)
10
+
11
+ GEM
12
+ remote: https://rubygems.org/
13
+ specs:
14
+ activesupport (6.0.0)
15
+ concurrent-ruby (~> 1.0, >= 1.0.2)
16
+ i18n (>= 0.7, < 2)
17
+ minitest (~> 5.1)
18
+ tzinfo (~> 1.1)
19
+ zeitwerk (~> 2.1, >= 2.1.8)
20
+ aes_key_wrap (1.0.1)
21
+ bindata (2.4.4)
22
+ concurrent-ruby (1.1.5)
23
+ equatable (0.6.1)
24
+ gli (2.19.0)
25
+ i18n (1.7.0)
26
+ concurrent-ruby (~> 1.0)
27
+ json-jwt (1.10.2)
28
+ activesupport (>= 4.2)
29
+ aes_key_wrap
30
+ bindata
31
+ jwe (0.4.0)
32
+ kramdown (1.16.2)
33
+ minitest (5.12.2)
34
+ pastel (0.7.3)
35
+ equatable (~> 0.6)
36
+ tty-color (~> 0.5)
37
+ rouge (3.11.1)
38
+ strings (0.1.6)
39
+ strings-ansi (~> 0.1)
40
+ unicode-display_width (~> 1.5)
41
+ unicode_utils (~> 1.4)
42
+ strings-ansi (0.1.0)
43
+ thread_safe (0.3.6)
44
+ tty-color (0.5.0)
45
+ tty-markdown (0.6.0)
46
+ kramdown (~> 1.16.2)
47
+ pastel (~> 0.7.2)
48
+ rouge (~> 3.3)
49
+ strings (~> 0.1.4)
50
+ tty-color (~> 0.4)
51
+ tty-screen (~> 0.6)
52
+ tty-pager (0.12.1)
53
+ strings (~> 0.1.4)
54
+ tty-screen (~> 0.6)
55
+ tty-which (~> 0.4)
56
+ tty-screen (0.7.0)
57
+ tty-which (0.4.1)
58
+ tzinfo (1.2.5)
59
+ thread_safe (~> 0.1)
60
+ unicode-display_width (1.6.0)
61
+ unicode_utils (1.4.0)
62
+ zeitwerk (2.1.10)
63
+
64
+ PLATFORMS
65
+ ruby
66
+
67
+ DEPENDENCIES
68
+ jwtear!
69
+
70
+ BUNDLED WITH
71
+ 2.0.2
data/README.md CHANGED
@@ -1,7 +1,19 @@
1
1
  # Jwtear
2
- Command-line tool and library to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.
2
+ A modular Command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.
3
3
 
4
- During working on exploiting some JWT-based application, I needed some tool to make parsing and manipulating JWT token easier.
4
+ ## Features
5
+ - Complete modularity.
6
+ - All commands are plugins.
7
+ - Easy to add a new plugins.
8
+ - Support JWS and JWE tokens.
9
+ - Easy interface for plugins. (follow the template example)
10
+
11
+ ### Available plugins
12
+ - Parse: parses jwt tokens.
13
+ - jws: manipulate and generate JWS tokens.
14
+ - jwe: manipulate and generate JWE tokens.
15
+ - bruteforce: brutefocing JWS signing key
16
+ - wiki: contains information about JWT, attacks ideas, references.
5
17
 
6
18
  ## Installation
7
19
 
@@ -11,8 +23,8 @@ install it yourself as:
11
23
 
12
24
  ## Usage
13
25
 
26
+ - Show the main menu
14
27
  ```
15
-
16
28
  888888 888 888 88888888888
17
29
  "88b 888 o 888 888
18
30
  888 888 d8b 888 888
@@ -21,34 +33,102 @@ install it yourself as:
21
33
  888 88888P Y88888 888 88888888 .d888888 888
22
34
  88P 8888P Y8888 888 Y8b. 888 888 888
23
35
  888 888P Y888 888 "Y8888 "Y888888 888
24
- .d88P v0.1.2
36
+ .d88P v1.0.0
25
37
  .d88P"
26
38
  888P"
27
- JWTear - Parse, create and manipulate JWT tokens.
28
-
29
- Help menu:
30
- -p, --parse JWT_TOKEN Parse JWT token
31
- -t, --generate-token Generate JWT token.
32
- -s, --generate-sig Generate JWT signature.
33
- -H, --header HEADER JWT header (JSON format). (required for generate-token and generate-sig)
34
- eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]
35
- -P, --payload PAYLOAD JWT payload (JSON format). (required for generate-token and generate-sig)
36
- eg. {"login":"admin"}
37
- -g, --alg ALGORITHM Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)
38
- Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]
39
- -k, --key SECRET Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)
40
- eg. P@ssw0rd | eg. public_key.pem
41
- -h, --help Show this help message
42
-
43
- Usage:
44
- jwtear <OPTIONS>
45
-
46
- Example:
47
- jwtear --generate-token --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
48
- jwtear --generate-sig --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
49
- jwtear --parse 'eyJwI...6IfJ9.kxrMS...MjAMm.zEybN...TU2Njk3ZmE3OA'
39
+ NAME
40
+ jwtear - Parse, create and manipulate JWT tokens.
41
+
42
+ SYNOPSIS
43
+ jwtear [global options] command [command options] [arguments...]
44
+
45
+ GLOBAL OPTIONS
46
+ -v, --version - Check current and latest version
47
+ -h, --help - Show this help message
48
+
49
+ COMMANDS
50
+ help - Shows a list of commands or help for one command
51
+ bruteforce, bfs - plugin to offline bruteforce and crack token's signature.
52
+ jws, s - Generate signature-based JWT (JWS) token.
53
+ jwe, e - Generate encryption-based JWT (JWE) token.
54
+ parse - Parse JWT token (accepts JWS and JWE formats).
55
+ wiki, w - A JWT wiki for hackers.
56
+ ```
57
+
58
+ - Show a subcommand help, use `-h COMMAND`
50
59
 
51
60
  ```
61
+ $jwtear -h jws
62
+
63
+ NAME
64
+ jws - Generate signature-based JWT (JWS) token.
65
+
66
+ SYNOPSIS
67
+ jwtear [global options] jws [command options]
68
+
69
+ DESCRIPTION
70
+ Generate JWS and JWE tokens.
71
+
72
+ COMMAND OPTIONS
73
+ -h, --header=JSON - JWT header (JSON format). eg. {"typ":"JWT","alg":"HS256"}. Run 'jwtear gen -l' for supported algorithms. (required, default: none)
74
+ -p, --payload=JSON - JWT payload (JSON format). eg. {"login":"admin"} (required, default: none)
75
+ -k, --key=PASSWORD|PUB_KEY_FILE - Key as a password string or a file public key. eg. P@ssw0rd | eg. public_key.pem (default: none)
76
+ ```
77
+
78
+ - Use a plugin
79
+
80
+ plugins are defined as subcommands. Each subcommand may have one or more argument and/or switches.
81
+ ```
82
+ $ jwtear parse -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.J8SS8VKlI2yV47C4BtfYukWPx_2welF34Mz7l-MNmkE
83
+ $ jwtear jws -h '{"alg":"HS256","typ":"JWT"}' -p '{"user":"admin"}' -k p@ss0rd123
84
+ $ jwtear bruteforce -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list -v
85
+ ```
86
+
87
+ ## Add plugin
88
+ To add a new plugin, create a new ruby file under `plugins` directory with the following structure
89
+ ```ruby
90
+ module JWTear
91
+ module CLI
92
+ extend GLI::App
93
+ extend JWTear::Helpers::Extensions::Print
94
+ extend JWTear::Helpers::Utils
95
+
96
+ desc "Plugin short description"
97
+ long_desc "Plugin long description"
98
+ command [:template, :pt] do |c|
99
+ c.action do |global, options, arguments|
100
+ print_h1 "Plugin template"
101
+ print_good "Hi, I'm a template."
102
+ template = TemplatePlugin.new
103
+ end
104
+ end
105
+ end
106
+
107
+ module Plugin
108
+ class TemplatePlugin
109
+ include JWTear::Helpers::Extensions::Print
110
+ include JWTear::Helpers::Utils
111
+
112
+ def initialize
113
+ check_dependencies
114
+ # ..code...
115
+ end
116
+
117
+ # ..code...
118
+ end
119
+ end
120
+ end
121
+ ```
122
+ Instead of including all dependencies for each plugin into jwtear, you can add these dependencies as a hash to `check_dependencies` method which will require the library and throw a gentle error to the user to install any missing gems.
123
+
124
+ The hash _key_ is the gem name to install, the hash _value_ is the `require` string
125
+ ```ruby
126
+ deps = {'async-io' => 'async/ip'}
127
+ check_dependencies(deps)
128
+ ```
129
+ Once the missing dependencies are installed by the user, the `check_dependencies` will require them once the plugin class initiated.
130
+
131
+
52
132
 
53
133
  ## Contributing
54
134
 
data/bin/jwtear CHANGED
@@ -4,128 +4,53 @@
4
4
  #
5
5
  # @Author: KING SABRI - @KINGSABRI
6
6
  #
7
- lib = File.dirname(__FILE__) + '/../lib'
8
- mod = File.dirname(__FILE__) + '/../modules'
7
+ lib = File.expand_path(File.join(File.dirname(__FILE__), ['/', '..', 'lib']))
9
8
  if File.directory?(lib)
10
9
  unless $:.include?(lib)
11
10
  $:.unshift(lib)
12
- $:.unshift(mod)
13
11
  end
14
12
  end
15
13
  require 'jwtear'
16
- require 'optparse'
17
-
18
-
19
- options = {}
20
- option_parser = OptionParser.new
21
- option_parser.banner = "#{"JWTear".bold} - Parse, create and manipulate JWT tokens."
22
- option_parser.set_summary_indent ' '
23
- option_parser.separator "\nHelp menu:".underline
24
- option_parser.on('-p', '--parse JWT_TOKEN' , 'Parse JWT token') {|v| options[:parse] = v}
25
- option_parser.on('-t', '--generate-token', 'Generate JWT token.') {|v| options[:generate_token] = v}
26
- option_parser.on('-s', '--generate-sig', 'Generate JWT signature.') {|v| options[:generate_sig] = v}
27
- option_parser.on('-H', '--header HEADER',
28
- 'JWT header (JSON format). (required for generate-token and generate-sig)',
29
- ' eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]'
30
- ) {|v| options[:header] = v}
31
- option_parser.on('-P', '--payload PAYLOAD' ,
32
- 'JWT payload (JSON format). (required for generate-token and generate-sig)',
33
- ' eg. {"login":"admin"}'
34
- ) {|v| options[:payload] = v}
35
- option_parser.on('-g', '--alg ALGORITHM',
36
- 'Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)',
37
- ' Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]'
38
- ) {|v| options[:alg] = v}
39
- option_parser.on('-k', '--key SECRET',
40
- 'Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)',
41
- ' eg. P@ssw0rd | eg. public_key.pem'
42
- ) {|v| options[:key] = v}
43
- # option_parser.on( '-m MODULE', '--module MODULE',
44
- # "Use module - WIP",
45
- # "Use it without argument to list all modules with its usage"
46
- # ) {|v| options[:key] = v}
47
- option_parser.on('-v', '--version', 'Check current and latest version') {|v| options[:version] = v}
48
- option_parser.on('-h', '--help', 'Show this help message') {puts JWTear::Utils.banner , option_parser; exit!}
49
- option_parser.on_tail "\nUsage:\n".underline + "jwtear <OPTIONS>"
50
- option_parser.on_tail "\nExample:".underline
51
- option_parser.on_tail %Q{jwtear --generate-token --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
52
- option_parser.on_tail %Q{jwtear --generate-sig --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
53
- option_parser.on_tail %Q{jwtear --parse #{"'".bold}eyJwI...6IfJ9#{'.'.bold}kxrMS...MjAMm#{'.'.bold}zEybN...TU2Njk3ZmE3OA#{"'".bold}\n\n}
54
-
55
- begin
56
- option_parser.parse!
57
- include JWTear::Utils
58
- case
59
- when options[:version]
60
- puts "-[#{'Current version'.green}]----"
61
- puts JWTear::VERSION
62
- if latest_version == JWTear::VERSION
63
- puts "[+] ".dark_green + "You have latest version."
14
+ require 'gli'
15
+
16
+ module JWTear
17
+ module CLI
18
+ extend GLI::App
19
+ extend JWTear::Helpers::Utils
20
+ puts banner
21
+ program_desc 'Parse, create and manipulate JWT tokens.'
22
+
23
+ # CLI settings
24
+ ENV['GLI_DEBUG'] = "true" # Uncomment this line for debugging
25
+ autocomplete_commands true
26
+ subcommand_option_handling :normal
27
+ arguments :strict
28
+ sort_help :manually
29
+ wrap_help_text :verbatim #:to_terminal
30
+ synopsis_format :full #:compact
31
+
32
+ desc 'Check current and latest version'
33
+ switch [:v, :version], negatable: false
34
+ @version = JWTear::VERSION
35
+
36
+ desc 'Show this help message'
37
+ switch [:h, :help], negatable: false
38
+
39
+ dir = File.expand_path(File.join(File.dirname(__FILE__), ['..', 'plugins']))
40
+ commands_from dir if Dir.exist? dir
41
+
42
+ on_error do |exception|
43
+ case exception
44
+ when GLI::MissingRequiredArgumentsException
45
+ print_error "Option #{exception.message}"
46
+ exit!
64
47
  else
65
- puts "-[#{'Latest version'.green}]----"
66
- puts latest_version
67
- puts "[+] ".dark_green + "Please update. (gem update jwtear)"
48
+ print_error "Unknown Exception:"
49
+ print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
50
+ puts exception.full_message
51
+ exit!
68
52
  end
69
- # parse
70
- when options[:parse]
71
- jwt = JWTear::JWT.new(options[:parse])
72
- jwt_parsed = jwt.parse
73
- puts "-[#{'Hash'.green}]----"
74
- puts jwt_parsed
75
- puts "-[#{'JSON'.green}]----"
76
- puts jwt.json
77
- puts ''
78
- puts "[+] ".dark_green + "Header (envelope segment):".bold.underline
79
- jwt.header.each {|key, value| puts " #{'-'.bold} #{key}: #{value}"}
80
- puts "[+] ".dark_green + "Payload (claim segment):".bold.underline
81
- jwt.payload.each {|key, value| puts " #{'-'.bold} #{key}: #{value}"}
82
- puts "[+] ".dark_green + "Signature (envelope segment) - encoded:".bold.underline
83
- puts encode(jwt.signature) || '---[ no signature ]---'
84
-
85
- # checking missing for generate_token
86
- when options[:generate_token] && (options[:header] || options[:payload] || options[:key]).nil?
87
- puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--alg/--key'"
88
-
89
- # checking missing for generate_sig
90
- when options[:generate_sig] && (options[:header] || options[:payload] || options[:key]).nil?
91
- puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--key'"
92
-
93
- when options[:generate_token]
94
- jwt = JWTear::JWT.new
95
- jwt.header = options[:header]
96
- jwt.payload = options[:payload]
97
- jwt.alg = options[:alg]
98
- if options[:key]
99
- jwt.key = File.file?(options[:key])? File.read(options[:key]) : options[:key] # read key as a string or from file(eg. pub_key.pem)
100
- end
101
- token = jwt.generate_token
102
- puts "-[#{'Hash'.dark_green}]----"
103
- puts jwt.hash
104
- puts "-[#{'JSON'.dark_green}]----"
105
- puts jwt.json
106
- puts ''
107
- puts "-[#{'Token'.green}]----"
108
- puts token
109
-
110
- when options[:generate_sig]
111
- jwt = JWTear::JWT.new
112
- data_encoded = encode_header_payload(options[:header], options[:payload])
113
- puts "-[#{'Signature'.green}]----"
114
- puts encode(jwt.generate_sig(data_encoded, options[:alg], options[:key]).signature)
115
-
116
- else
117
- puts JWTear::Utils.banner
118
- puts option_parser
53
+ end
119
54
  end
120
- rescue OptionParser::MissingArgument => e
121
- e.args.each {|arg| puts '[!] '.red + "#{e.reason.capitalize} for '#{arg}' option."}
122
- puts option_parser
123
- rescue OptionParser::InvalidOption => e
124
- puts '[!] '.red + "#{e}"
125
- puts option_parser
126
- rescue Exception => e
127
- puts "[x] ".red + "Unknown Exception: option parser"
128
- puts '[!] '.yellow + 'Please report the issue at: https://github.com/KINGSABRI/jwtear/issues'.underline
129
- puts e.backtrace_locations
130
- puts e
131
55
  end
56
+ exit JWTear::CLI.run(ARGV)