jwtear 0.2.0 → 1.0.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 31993d744377eadf2eb201f98dfaa66adab22cfc
-  data.tar.gz: e672364d1ebd8177c28337bb8be696f179723f35
+SHA256:
+  metadata.gz: 337191e2dd73a88ddc1d794bebd7056ac661bc4c7a5d5ef6cec688b47c04bffa
+  data.tar.gz: b7f3b4bca6142c587b66da6de5dcaed0607c629b6eb2ebe16655d846f8de6d54
 SHA512:
-  metadata.gz: 65a8dd13d5646b5a2b22ecfb3d086f4c41496ce072301ff0b1edba69dc556d5219e0a3bd2fe0661781c1a7bb3c070d43c0fbf27c724b4de6a87e3a7a5435ebb7
-  data.tar.gz: e4730d76bad3fc32f12392ea13ab25da5aca60f47603a12737a54d17dd219654997ddc55ad0d822ce336b8ac7ce93e76007f4737a303098a6b4ab52880d9448b
+  metadata.gz: 3a99ddea7d5ec592e0742fb2a266e852ff42148278f8579024ca722ae5f51b55929a71da19ec570ede487d9ee42e5f7866b578d0b14b0e51959fefe78b58ff4e
+  data.tar.gz: e6c65cb64a34918ace92dd57ed912a2060c862b2d855ab0e5fb7dedd4ae33c95ef8be9a4275b5f893426774cbe3803bc85f35b69c84f30022691ee2511e0893b

data/.gitignore

@@ -1 +1,8 @@
-.idea/
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at king.sabri@gmail.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -1,6 +1,4 @@
 source "https://rubygems.org"
 
-git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
-
 # Specify your gem's dependencies in jwtear.gemspec
 gemspec

data/Gemfile.lock

@@ -0,0 +1,71 @@
+PATH
+  remote: .
+  specs:
+    jwtear (1.0.0)
+      gli (~> 2.19, >= 2.19.0)
+      json-jwt (~> 1.10, >= 1.10.2)
+      jwe (~> 0.4.0)
+      tty-markdown (~> 0.6.0)
+      tty-pager (~> 0.12.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (6.0.0)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.1, >= 2.1.8)
+    aes_key_wrap (1.0.1)
+    bindata (2.4.4)
+    concurrent-ruby (1.1.5)
+    equatable (0.6.1)
+    gli (2.19.0)
+    i18n (1.7.0)
+      concurrent-ruby (~> 1.0)
+    json-jwt (1.10.2)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
+    jwe (0.4.0)
+    kramdown (1.16.2)
+    minitest (5.12.2)
+    pastel (0.7.3)
+      equatable (~> 0.6)
+      tty-color (~> 0.5)
+    rouge (3.11.1)
+    strings (0.1.6)
+      strings-ansi (~> 0.1)
+      unicode-display_width (~> 1.5)
+      unicode_utils (~> 1.4)
+    strings-ansi (0.1.0)
+    thread_safe (0.3.6)
+    tty-color (0.5.0)
+    tty-markdown (0.6.0)
+      kramdown (~> 1.16.2)
+      pastel (~> 0.7.2)
+      rouge (~> 3.3)
+      strings (~> 0.1.4)
+      tty-color (~> 0.4)
+      tty-screen (~> 0.6)
+    tty-pager (0.12.1)
+      strings (~> 0.1.4)
+      tty-screen (~> 0.6)
+      tty-which (~> 0.4)
+    tty-screen (0.7.0)
+    tty-which (0.4.1)
+    tzinfo (1.2.5)
+      thread_safe (~> 0.1)
+    unicode-display_width (1.6.0)
+    unicode_utils (1.4.0)
+    zeitwerk (2.1.10)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  jwtear!
+
+BUNDLED WITH
+   2.0.2

data/README.md

@@ -1,7 +1,19 @@
 # Jwtear
-Command-line tool and library to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes. 
+A modular Command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes. 
 
-During working on exploiting some JWT-based application, I needed some tool to make parsing and manipulating JWT token easier. 
+## Features
+- Complete modularity.
+    - All commands are plugins.
+    - Easy to add a new plugins.
+    - Support JWS and JWE tokens.  
+- Easy interface for plugins. (follow the template example)
+
+### Available plugins
+- Parse: parses jwt tokens.
+- jws: manipulate and generate JWS tokens.
+- jwe: manipulate and generate JWE tokens.
+- bruteforce: brutefocing JWS signing key
+- wiki: contains information about JWT, attacks ideas, references.
 
 ## Installation
 
@@ -11,8 +23,8 @@ install it yourself as:
 
 ## Usage
 
+- Show the main menu 
 ```
-
     888888 888       888 88888888888
       "88b 888   o   888     888
        888 888  d8b  888     888
@@ -21,34 +33,102 @@ install it yourself as:
        888 88888P Y88888     888  88888888 .d888888 888
        88P 8888P   Y8888     888  Y8b.     888  888 888
        888 888P     Y888     888   "Y8888  "Y888888 888
-     .d88P                                       v0.1.2
+     .d88P                                       v1.0.0
    .d88P"
   888P"    
-JWTear - Parse, create and manipulate JWT tokens.
-
-Help menu:
-   -p, --parse JWT_TOKEN            Parse JWT token
-   -t, --generate-token             Generate JWT token.
-   -s, --generate-sig               Generate JWT signature.
-   -H, --header HEADER              JWT header (JSON format). (required for generate-token and generate-sig)
-                                      eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]
-   -P, --payload PAYLOAD            JWT payload (JSON format). (required for generate-token and generate-sig)
-                                      eg. {"login":"admin"}
-   -g, --alg ALGORITHM              Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)
-                                      Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]
-   -k, --key SECRET                 Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)
-                                      eg. P@ssw0rd  | eg. public_key.pem
-   -h, --help                       Show this help message
-
-Usage:
-jwtear <OPTIONS>
-
-Example:
-jwtear --generate-token --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
-jwtear --generate-sig --header '{"typ":"JWT","alg":"HS256"}' --payload '{"login":"admin"}' --key 'P@ssw0rd!'
-jwtear --parse 'eyJwI...6IfJ9.kxrMS...MjAMm.zEybN...TU2Njk3ZmE3OA'
+NAME
+    jwtear - Parse, create and manipulate JWT tokens.
+
+SYNOPSIS
+    jwtear [global options] command [command options] [arguments...]
+
+GLOBAL OPTIONS
+    -v, --version - Check current and latest version
+    -h, --help    - Show this help message
+
+COMMANDS
+    help            - Shows a list of commands or help for one command
+    bruteforce, bfs - plugin to offline bruteforce and crack token's signature.
+    jws, s          - Generate signature-based JWT (JWS) token.
+    jwe, e          - Generate encryption-based JWT (JWE) token.
+    parse           - Parse JWT token (accepts JWS and JWE formats).
+    wiki, w         - A JWT wiki for hackers.
+```
+
+- Show a subcommand help, use `-h COMMAND`
 
 ```
+$jwtear -h jws
+
+NAME
+    jws - Generate signature-based JWT (JWS) token.
+
+SYNOPSIS
+    jwtear [global options] jws [command options] 
+
+DESCRIPTION
+    Generate JWS and JWE tokens. 
+
+COMMAND OPTIONS
+    -h, --header=JSON               - JWT header (JSON format). eg. {"typ":"JWT","alg":"HS256"}. Run 'jwtear gen -l' for supported algorithms. (required, default: none)
+    -p, --payload=JSON              - JWT payload (JSON format). eg. {"login":"admin"} (required, default: none)
+    -k, --key=PASSWORD|PUB_KEY_FILE - Key as a password string or a file public key. eg. P@ssw0rd  | eg. public_key.pem (default: none)
+```
+
+- Use a plugin
+
+plugins are defined as subcommands. Each subcommand may have one or more argument and/or switches.
+```
+$ jwtear parse -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.J8SS8VKlI2yV47C4BtfYukWPx_2welF34Mz7l-MNmkE
+$ jwtear jws -h '{"alg":"HS256","typ":"JWT"}' -p '{"user":"admin"}' -k p@ss0rd123
+$ jwtear bruteforce -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list -v
+```
+
+## Add plugin
+To add a new plugin, create a new ruby file under `plugins` directory with the following structure
+```ruby
+module JWTear
+  module CLI
+    extend GLI::App
+    extend JWTear::Helpers::Extensions::Print
+    extend JWTear::Helpers::Utils
+
+    desc "Plugin short description"
+    long_desc "Plugin long description"
+    command [:template, :pt] do |c|
+      c.action do |global, options, arguments|
+        print_h1 "Plugin template"
+        print_good "Hi, I'm a template."
+        template = TemplatePlugin.new
+      end
+    end
+  end
+
+  module Plugin
+    class TemplatePlugin
+      include JWTear::Helpers::Extensions::Print
+      include JWTear::Helpers::Utils
+
+      def initialize
+        check_dependencies
+        # ..code...
+      end
+     
+      # ..code...
+    end
+  end
+end
+```
+Instead of including all dependencies for each plugin into jwtear, you can add these dependencies as a hash to `check_dependencies` method which will require the library and throw a gentle error to the user to install any missing gems.
+
+The hash _key_ is the gem name to install, the hash _value_ is the `require` string 
+```ruby
+deps = {'async-io' => 'async/ip'}
+check_dependencies(deps)
+```
+Once the missing dependencies are installed by the user, the `check_dependencies` will require them once the plugin class initiated.
+
+
 
 ## Contributing
 

data/bin/jwtear

@@ -4,128 +4,53 @@
 #
 # @Author: KING SABRI - @KINGSABRI
 #
-lib = File.dirname(__FILE__) + '/../lib'
-mod = File.dirname(__FILE__) + '/../modules'
+lib = File.expand_path(File.join(File.dirname(__FILE__), ['/', '..', 'lib']))
 if File.directory?(lib)
   unless $:.include?(lib)
     $:.unshift(lib)
-    $:.unshift(mod)
   end
 end
 require 'jwtear'
-require 'optparse'
-
-
-options = {}
-option_parser = OptionParser.new
-option_parser.banner = "#{"JWTear".bold} - Parse, create and manipulate JWT tokens."
-option_parser.set_summary_indent '   '
-option_parser.separator "\nHelp menu:".underline
-option_parser.on('-p', '--parse JWT_TOKEN' , 'Parse JWT token') {|v| options[:parse] = v}
-option_parser.on('-t', '--generate-token', 'Generate JWT token.') {|v| options[:generate_token] = v}
-option_parser.on('-s', '--generate-sig', 'Generate JWT signature.') {|v| options[:generate_sig] = v}
-option_parser.on('-H', '--header HEADER',
-                  'JWT header (JSON format). (required for generate-token and generate-sig)',
-                  '  eg. {"typ":"JWT","alg":"HS256"} | Supported algorithms: [HS256, RS512, etc]'
-) {|v| options[:header] = v}
-option_parser.on('-P', '--payload PAYLOAD' ,
-                    'JWT payload (JSON format). (required for generate-token and generate-sig)',
-                    '  eg. {"login":"admin"}'
-) {|v| options[:payload] = v}
-option_parser.on('-g', '--alg ALGORITHM',
-                  'Force algorithm type when generating a new token (ignore the one in header). (optional with generate-token)',
-                  '  Supported algorithms: [HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512]'
-) {|v| options[:alg] = v}
-option_parser.on('-k', '--key SECRET',
-                 'Secret Key for symmetric encryption. (required for generate-token and generate-sig. Accept password as a string or a file)',
-                 '  eg. P@ssw0rd  | eg. public_key.pem'
-) {|v| options[:key] = v}
-# option_parser.on( '-m MODULE', '--module MODULE',
-#                  "Use module - WIP",
-#                  "Use it without argument to list all modules with its usage"
-# ) {|v| options[:key] = v}
-option_parser.on('-v', '--version', 'Check current and latest version') {|v| options[:version] = v}
-option_parser.on('-h', '--help', 'Show this help message') {puts JWTear::Utils.banner , option_parser; exit!}
-option_parser.on_tail "\nUsage:\n".underline + "jwtear <OPTIONS>"
-option_parser.on_tail "\nExample:".underline
-option_parser.on_tail %Q{jwtear --generate-token --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
-option_parser.on_tail %Q{jwtear --generate-sig --header #{"'".bold}{"typ":"JWT","alg":"HS256"}#{"'".bold} --payload #{"'".bold}{"login":"admin"}#{"'".bold} --key 'P@ssw0rd!'}
-option_parser.on_tail %Q{jwtear --parse #{"'".bold}eyJwI...6IfJ9#{'.'.bold}kxrMS...MjAMm#{'.'.bold}zEybN...TU2Njk3ZmE3OA#{"'".bold}\n\n}
-
-begin
-  option_parser.parse!
-  include JWTear::Utils
-  case
-    when options[:version]
-      puts "-[#{'Current version'.green}]----"
-      puts JWTear::VERSION
-      if latest_version == JWTear::VERSION
-        puts "[+] ".dark_green + "You have latest version."
+require 'gli'
+
+module  JWTear
+  module CLI
+    extend GLI::App
+    extend JWTear::Helpers::Utils
+    puts banner
+    program_desc 'Parse, create and manipulate JWT tokens.'
+
+    # CLI settings
+    ENV['GLI_DEBUG'] = "true"  # Uncomment this line for debugging
+    autocomplete_commands true
+    subcommand_option_handling :normal
+    arguments :strict
+    sort_help :manually
+    wrap_help_text :verbatim #:to_terminal
+    synopsis_format :full #:compact
+
+    desc 'Check current and latest version'
+    switch [:v, :version],  negatable: false
+    @version = JWTear::VERSION
+
+    desc 'Show this help message'
+    switch [:h, :help],  negatable: false
+
+    dir = File.expand_path(File.join(File.dirname(__FILE__), ['..', 'plugins']))
+    commands_from dir if Dir.exist? dir
+
+    on_error do |exception|
+      case exception
+      when GLI::MissingRequiredArgumentsException
+        print_error "Option #{exception.message}"
+        exit!
       else
-        puts "-[#{'Latest version'.green}]----"
-        puts latest_version
-        puts "[+] ".dark_green + "Please update. (gem update jwtear)"
+        print_error "Unknown Exception:"
+        print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+        puts exception.full_message
+        exit!
       end
-    # parse
-    when options[:parse]
-      jwt = JWTear::JWT.new(options[:parse])
-      jwt_parsed = jwt.parse
-      puts "-[#{'Hash'.green}]----"
-      puts jwt_parsed
-      puts "-[#{'JSON'.green}]----"
-      puts jwt.json
-      puts ''
-      puts "[+] ".dark_green + "Header (envelope segment):".bold.underline
-      jwt.header.each {|key, value| puts "  #{'-'.bold} #{key}: #{value}"}
-      puts "[+] ".dark_green + "Payload (claim segment):".bold.underline
-      jwt.payload.each {|key, value| puts "  #{'-'.bold} #{key}: #{value}"}
-      puts "[+] ".dark_green + "Signature (envelope segment) - encoded:".bold.underline
-      puts encode(jwt.signature) || '---[ no signature ]---'
-
-    # checking missing for generate_token
-    when options[:generate_token] && (options[:header] || options[:payload] || options[:key]).nil?
-      puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--alg/--key'"
-
-    # checking missing for generate_sig
-    when options[:generate_sig] && (options[:header] || options[:payload] || options[:key]).nil?
-      puts '[!] '.red + "Missing mandatory switch(es) '--header/--payload/--key'"
-
-    when options[:generate_token]
-      jwt = JWTear::JWT.new
-      jwt.header  = options[:header]
-      jwt.payload = options[:payload]
-      jwt.alg     = options[:alg]
-      if options[:key]
-        jwt.key   = File.file?(options[:key])? File.read(options[:key]) : options[:key] # read key as a string or from file(eg. pub_key.pem)
-      end
-      token       = jwt.generate_token
-      puts "-[#{'Hash'.dark_green}]----"
-      puts jwt.hash
-      puts "-[#{'JSON'.dark_green}]----"
-      puts jwt.json
-      puts ''
-      puts "-[#{'Token'.green}]----"
-      puts token
-
-    when options[:generate_sig]
-      jwt = JWTear::JWT.new
-      data_encoded = encode_header_payload(options[:header], options[:payload])
-      puts "-[#{'Signature'.green}]----"
-      puts encode(jwt.generate_sig(data_encoded, options[:alg], options[:key]).signature)
-
-    else
-      puts JWTear::Utils.banner
-      puts option_parser
+    end
   end
-rescue OptionParser::MissingArgument => e
-  e.args.each {|arg| puts '[!] '.red + "#{e.reason.capitalize} for '#{arg}' option."}
-  puts option_parser
-rescue OptionParser::InvalidOption => e
-  puts '[!] '.red + "#{e}"
-  puts option_parser
-rescue Exception => e
-  puts "[x] ".red + "Unknown Exception: option parser"
-  puts '[!] '.yellow + 'Please report the issue at: https://github.com/KINGSABRI/jwtear/issues'.underline
-  puts e.backtrace_locations
-  puts e
 end
+exit JWTear::CLI.run(ARGV)