jwtear 1.0.1.pre → 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/Gemfile.lock +1 -1
- data/README.md +21 -4
- data/bin/jwtear +14 -9
- data/lib/jwtear/jwe.rb +6 -0
- data/lib/jwtear/version.rb +1 -1
- data/plugins/bruteforce.rb +3 -12
- data/plugins/wiki/README.md +14 -12
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 354a9f9e3c1c66b7bc4f3db6671b9e9635a23ee1d2642ef199d186c53bde73df
|
|
4
|
+
data.tar.gz: 4fb427852cff0bb16156c35eaf1e48fd1f8e4243bee19755fe6cf851986d4987
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c962fd44c645e70ff38c13c509760b51e6bc0d6a34f15d8d963e54c4ddf6507edf3f7ad077a723319505e293bd5980467385e12762fa7a6bd12ce32e550be7b
|
|
7
|
+
data.tar.gz: b84d7c42ba7a730d32d2fe097584ad9bee1fb283ef8f343a839bf2d741fa6ab00f92abad0173dfc4034bc955dfa5ce69a5dea262cb15a5b6a34cccc65216fc5c
|
data/.gitignore
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -1,19 +1,22 @@
|
|
|
1
1
|
# Jwtear
|
|
2
|
-
A modular
|
|
2
|
+
A modular command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.
|
|
3
3
|
|
|
4
4
|
## Features
|
|
5
5
|
- Complete modularity.
|
|
6
6
|
- All commands are plugins.
|
|
7
|
-
- Easy to add
|
|
7
|
+
- Easy to add new plugins.
|
|
8
8
|
- Support JWS and JWE tokens.
|
|
9
9
|
- Easy interface for plugins. (follow the template example)
|
|
10
|
+
- Flexible
|
|
11
|
+
- token generation based on production-class libraries (e.g. json-jwt, jwe).
|
|
12
|
+
|
|
10
13
|
|
|
11
14
|
### Available plugins
|
|
12
15
|
- Parse: parses jwt tokens.
|
|
13
16
|
- jws: manipulate and generate JWS tokens.
|
|
14
17
|
- jwe: manipulate and generate JWE tokens.
|
|
15
18
|
- bruteforce: brutefocing JWS signing key
|
|
16
|
-
- wiki: contains information about JWT, attacks ideas, references.
|
|
19
|
+
- wiki: contains offline information about JWT, attacks ideas, references.
|
|
17
20
|
|
|
18
21
|
## Installation
|
|
19
22
|
|
|
@@ -81,7 +84,8 @@ plugins are defined as subcommands. Each subcommand may have one or more argumen
|
|
|
81
84
|
```
|
|
82
85
|
$ jwtear parse -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.J8SS8VKlI2yV47C4BtfYukWPx_2welF34Mz7l-MNmkE
|
|
83
86
|
$ jwtear jws -h '{"alg":"HS256","typ":"JWT"}' -p '{"user":"admin"}' -k p@ss0rd123
|
|
84
|
-
$ jwtear
|
|
87
|
+
$ jwtear jwe -header '{"enc":"A192GCM","typ":"JWT"}' --payload '{"user":"admin"}' --key public.pem
|
|
88
|
+
$ jwtear bruteforce -v -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list
|
|
85
89
|
```
|
|
86
90
|
|
|
87
91
|
## Add plugin
|
|
@@ -134,6 +138,19 @@ Once the missing dependencies are installed by the user, the `check_dependencies
|
|
|
134
138
|
|
|
135
139
|
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/jwtear.
|
|
136
140
|
|
|
141
|
+
1. Fork it ( https://github.com/KINGSABRI/jwtear/fork )
|
|
142
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
143
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
|
144
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
|
145
|
+
5. Create a new Pull Request
|
|
146
|
+
|
|
147
|
+
### Areas to contribute
|
|
148
|
+
- contribution by reporting bugs.
|
|
149
|
+
- contribution by perfecting the current code.
|
|
150
|
+
- contribution by adding new plugins.
|
|
151
|
+
- contribution by enhancing the [jwtear wiki](https://github.com/KINGSABRI/jwtear/tree/master/plugins/wiki).
|
|
152
|
+
- contribution by requesting features and/or plugins.
|
|
153
|
+
|
|
137
154
|
## License
|
|
138
155
|
|
|
139
156
|
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/bin/jwtear
CHANGED
|
@@ -17,17 +17,17 @@ module JWTear
|
|
|
17
17
|
module CLI
|
|
18
18
|
extend GLI::App
|
|
19
19
|
extend JWTear::Helpers::Utils
|
|
20
|
-
|
|
20
|
+
|
|
21
21
|
program_desc 'Parse, create and manipulate JWT tokens.'
|
|
22
22
|
|
|
23
23
|
# CLI settings
|
|
24
|
-
ENV['GLI_DEBUG'] =
|
|
25
|
-
autocomplete_commands
|
|
24
|
+
# ENV['GLI_DEBUG'] = "true" # Uncomment this line for debugging
|
|
25
|
+
autocomplete_commands true
|
|
26
26
|
subcommand_option_handling :normal
|
|
27
|
-
arguments
|
|
28
|
-
sort_help
|
|
29
|
-
wrap_help_text
|
|
30
|
-
synopsis_format
|
|
27
|
+
arguments :strict
|
|
28
|
+
sort_help :manually
|
|
29
|
+
wrap_help_text :verbatim
|
|
30
|
+
synopsis_format :full
|
|
31
31
|
|
|
32
32
|
desc 'Check current and latest version'
|
|
33
33
|
switch [:v, :version], negatable: false
|
|
@@ -40,16 +40,21 @@ module JWTear
|
|
|
40
40
|
commands_from dir if Dir.exist? dir
|
|
41
41
|
|
|
42
42
|
on_error do |exception|
|
|
43
|
+
puts banner
|
|
43
44
|
case exception
|
|
44
45
|
when GLI::MissingRequiredArgumentsException
|
|
45
46
|
print_error "Option #{exception.message}"
|
|
46
|
-
|
|
47
|
+
when OptionParser::MissingArgument
|
|
48
|
+
print_error "Option #{exception.message}"
|
|
49
|
+
when GLI::UnknownCommandArgument
|
|
50
|
+
print_error "#{exception.message}"
|
|
47
51
|
else
|
|
48
52
|
print_error "Unknown Exception:"
|
|
49
53
|
print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
|
|
50
54
|
puts exception.full_message
|
|
51
|
-
exit!
|
|
52
55
|
end
|
|
56
|
+
|
|
57
|
+
true
|
|
53
58
|
end
|
|
54
59
|
end
|
|
55
60
|
end
|
data/lib/jwtear/jwe.rb
CHANGED
|
@@ -92,6 +92,12 @@ module JWTear
|
|
|
92
92
|
exit!
|
|
93
93
|
end
|
|
94
94
|
|
|
95
|
+
# is_encrypted?
|
|
96
|
+
# to check if the given string in a JSON format or its encrypted.
|
|
97
|
+
# Used mostly with @encrypted_key as it might come in different format.
|
|
98
|
+
# @param item [JSON|STRING]
|
|
99
|
+
#
|
|
100
|
+
# @return [Boolean]
|
|
95
101
|
def is_encrypted?(item)
|
|
96
102
|
JSON.parse item
|
|
97
103
|
false
|
data/lib/jwtear/version.rb
CHANGED
data/plugins/bruteforce.rb
CHANGED
|
@@ -16,7 +16,7 @@ module JWTear
|
|
|
16
16
|
c.desc "Run verbosely."
|
|
17
17
|
c.switch [:v, :verbose], negatable: false
|
|
18
18
|
|
|
19
|
-
c.example %Q{jwtear bruteforce -t TOKEN -l rockyou.list
|
|
19
|
+
c.example %Q{jwtear bruteforce -v -t TOKEN -l rockyou.list}
|
|
20
20
|
c.example %Q{jwtear bruteforce -t TOKEN -l P@ssw0rd123}
|
|
21
21
|
|
|
22
22
|
c.action do |_, options, _|
|
|
@@ -25,7 +25,6 @@ module JWTear
|
|
|
25
25
|
bf.run(options[:verbose])
|
|
26
26
|
end
|
|
27
27
|
end
|
|
28
|
-
|
|
29
28
|
end
|
|
30
29
|
end
|
|
31
30
|
|
|
@@ -46,6 +45,7 @@ module JWTear
|
|
|
46
45
|
case
|
|
47
46
|
when keys.kind_of?(Enumerator::Lazy)
|
|
48
47
|
keys.each do |key|
|
|
48
|
+
key.valid_encoding? ? key.strip! : next
|
|
49
49
|
print_status "Trying password: #{key}" if verbose
|
|
50
50
|
|
|
51
51
|
gen_token = @token.generate(:jws, header: @jws.header.to_json, payload:@jws.payload.to_json , key: key)
|
|
@@ -56,7 +56,6 @@ module JWTear
|
|
|
56
56
|
exit!
|
|
57
57
|
else
|
|
58
58
|
print_bad "Invalid key: #{key}" if verbose
|
|
59
|
-
# puts gen_token if verbose
|
|
60
59
|
end
|
|
61
60
|
end
|
|
62
61
|
when keys.kind_of?(String)
|
|
@@ -68,20 +67,14 @@ module JWTear
|
|
|
68
67
|
else
|
|
69
68
|
print_bad "Invalid key: #{keys}"
|
|
70
69
|
end
|
|
71
|
-
|
|
72
70
|
else
|
|
73
71
|
print_error "Unknown key type"
|
|
74
72
|
raise
|
|
75
73
|
end
|
|
76
74
|
end
|
|
77
75
|
|
|
78
|
-
|
|
79
76
|
def handle_key
|
|
80
|
-
|
|
81
|
-
read_wordlist(@list)
|
|
82
|
-
else
|
|
83
|
-
@list
|
|
84
|
-
end
|
|
77
|
+
File.file?(@list) ? read_wordlist(@list) : @list
|
|
85
78
|
end
|
|
86
79
|
|
|
87
80
|
def read_wordlist(file)
|
|
@@ -89,7 +82,6 @@ module JWTear
|
|
|
89
82
|
print_status "Found '#{file}' file."
|
|
90
83
|
File.readlines(file, chomp: true)
|
|
91
84
|
.lazy
|
|
92
|
-
.map(&:strip)
|
|
93
85
|
.reject(&:empty?)
|
|
94
86
|
.reject(&:nil?)
|
|
95
87
|
else
|
|
@@ -97,7 +89,6 @@ module JWTear
|
|
|
97
89
|
exit!
|
|
98
90
|
end
|
|
99
91
|
end
|
|
100
|
-
|
|
101
92
|
end
|
|
102
93
|
end
|
|
103
94
|
|
data/plugins/wiki/README.md
CHANGED
|
@@ -164,6 +164,8 @@ This carries the same meaning as explained under JWE compact serialization, prev
|
|
|
164
164
|
|
|
165
165
|
This carries the same meaning as explained under JWE compact serialization, previously. The tag element in the JWE token carries the base64url-encoded value of the JWE authenticated tag, which is an outcome of the encryption process using an AEAD algorithm.
|
|
166
166
|
|
|
167
|
+
_source(JWT, JWS and JWE for Not So Dummies! (Part I))_
|
|
168
|
+
|
|
167
169
|
---
|
|
168
170
|
|
|
169
171
|
|
|
@@ -185,18 +187,18 @@ This carries the same meaning as explained under JWE compact serialization, prev
|
|
|
185
187
|
## Vulnerable Applications
|
|
186
188
|
|
|
187
189
|
* [Damn Vulnerable Web Services - DVWS](https://github.com/snoopysecurity/dvws)
|
|
188
|
-
* [Pentesterlab(Free)
|
|
189
|
-
* [Pentesterlab(PRO)
|
|
190
|
-
* [Pentesterlab(PRO)
|
|
191
|
-
* [Pentesterlab(PRO)
|
|
192
|
-
* [Pentesterlab(PRO)
|
|
193
|
-
* [Pentesterlab(PRO)
|
|
194
|
-
* [Pentesterlab(PRO)
|
|
195
|
-
* [Pentesterlab(PRO)
|
|
196
|
-
* [Pentesterlab(PRO)
|
|
197
|
-
* [Pentesterlab(PRO)
|
|
198
|
-
* [Pentesterlab(PRO)
|
|
199
|
-
* [Pentesterlab(PRO)
|
|
190
|
+
* [Pentesterlab(Free) - JSON Web Token I](https://pentesterlab.com/exercises/jwt/)
|
|
191
|
+
* [Pentesterlab(PRO) - JSON Web Token II](https://pentesterlab.com/exercises/jwt_ii/)
|
|
192
|
+
* [Pentesterlab(PRO) - JWT III](https://pentesterlab.com/exercises/jwt_iii/)
|
|
193
|
+
* [Pentesterlab(PRO) - JWT IV](https://pentesterlab.com/exercises/jwt_iv)
|
|
194
|
+
* [Pentesterlab(PRO) - JWT V](https://pentesterlab.com/exercises/jwt_v)
|
|
195
|
+
* [Pentesterlab(PRO) - JWT VI](https://pentesterlab.com/exercises/jwt_vi)
|
|
196
|
+
* [Pentesterlab(PRO) - JWT VII](https://pentesterlab.com/exercises/jwt_vii)
|
|
197
|
+
* [Pentesterlab(PRO) - JWT VIII](https://pentesterlab.com/exercises/jwt_viii)
|
|
198
|
+
* [Pentesterlab(PRO) - JWT X](https://pentesterlab.com/exercises/jwt_x/)
|
|
199
|
+
* [Pentesterlab(PRO) - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
|
|
200
|
+
* [Pentesterlab(PRO) - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
|
|
201
|
+
* [Pentesterlab(PRO) - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
|
|
200
202
|
* [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
|
|
201
203
|
|
|
202
204
|
## Resources
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwtear
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- KING SABRI
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-10-
|
|
11
|
+
date: 2019-10-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: gli
|
|
@@ -138,9 +138,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
138
138
|
version: '0'
|
|
139
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
140
140
|
requirements:
|
|
141
|
-
- - "
|
|
141
|
+
- - ">="
|
|
142
142
|
- !ruby/object:Gem::Version
|
|
143
|
-
version:
|
|
143
|
+
version: '0'
|
|
144
144
|
requirements: []
|
|
145
145
|
rubyforge_project:
|
|
146
146
|
rubygems_version: 2.7.6.2
|