jwtear 1.0.1.pre → 1.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +2 -0
- data/Gemfile.lock +1 -1
- data/README.md +21 -4
- data/bin/jwtear +14 -9
- data/lib/jwtear/jwe.rb +6 -0
- data/lib/jwtear/version.rb +1 -1
- data/plugins/bruteforce.rb +3 -12
- data/plugins/wiki/README.md +14 -12
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 354a9f9e3c1c66b7bc4f3db6671b9e9635a23ee1d2642ef199d186c53bde73df
|
|
4
|
+
data.tar.gz: 4fb427852cff0bb16156c35eaf1e48fd1f8e4243bee19755fe6cf851986d4987
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 3c962fd44c645e70ff38c13c509760b51e6bc0d6a34f15d8d963e54c4ddf6507edf3f7ad077a723319505e293bd5980467385e12762fa7a6bd12ce32e550be7b
|
|
7
|
+
data.tar.gz: b84d7c42ba7a730d32d2fe097584ad9bee1fb283ef8f343a839bf2d741fa6ab00f92abad0173dfc4034bc955dfa5ce69a5dea262cb15a5b6a34cccc65216fc5c
|
data/.gitignore
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -1,19 +1,22 @@
|
|
|
1
1
|
# Jwtear
|
|
2
|
-
A modular
|
|
2
|
+
A modular command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes.
|
|
3
3
|
|
|
4
4
|
## Features
|
|
5
5
|
- Complete modularity.
|
|
6
6
|
- All commands are plugins.
|
|
7
|
-
- Easy to add
|
|
7
|
+
- Easy to add new plugins.
|
|
8
8
|
- Support JWS and JWE tokens.
|
|
9
9
|
- Easy interface for plugins. (follow the template example)
|
|
10
|
+
- Flexible
|
|
11
|
+
- token generation based on production-class libraries (e.g. json-jwt, jwe).
|
|
12
|
+
|
|
10
13
|
|
|
11
14
|
### Available plugins
|
|
12
15
|
- Parse: parses jwt tokens.
|
|
13
16
|
- jws: manipulate and generate JWS tokens.
|
|
14
17
|
- jwe: manipulate and generate JWE tokens.
|
|
15
18
|
- bruteforce: brutefocing JWS signing key
|
|
16
|
-
- wiki: contains information about JWT, attacks ideas, references.
|
|
19
|
+
- wiki: contains offline information about JWT, attacks ideas, references.
|
|
17
20
|
|
|
18
21
|
## Installation
|
|
19
22
|
|
|
@@ -81,7 +84,8 @@ plugins are defined as subcommands. Each subcommand may have one or more argumen
|
|
|
81
84
|
```
|
|
82
85
|
$ jwtear parse -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.J8SS8VKlI2yV47C4BtfYukWPx_2welF34Mz7l-MNmkE
|
|
83
86
|
$ jwtear jws -h '{"alg":"HS256","typ":"JWT"}' -p '{"user":"admin"}' -k p@ss0rd123
|
|
84
|
-
$ jwtear
|
|
87
|
+
$ jwtear jwe -header '{"enc":"A192GCM","typ":"JWT"}' --payload '{"user":"admin"}' --key public.pem
|
|
88
|
+
$ jwtear bruteforce -v -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list
|
|
85
89
|
```
|
|
86
90
|
|
|
87
91
|
## Add plugin
|
|
@@ -134,6 +138,19 @@ Once the missing dependencies are installed by the user, the `check_dependencies
|
|
|
134
138
|
|
|
135
139
|
Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/jwtear.
|
|
136
140
|
|
|
141
|
+
1. Fork it ( https://github.com/KINGSABRI/jwtear/fork )
|
|
142
|
+
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
143
|
+
3. Commit your changes (`git commit -am 'Add some feature'`)
|
|
144
|
+
4. Push to the branch (`git push origin my-new-feature`)
|
|
145
|
+
5. Create a new Pull Request
|
|
146
|
+
|
|
147
|
+
### Areas to contribute
|
|
148
|
+
- contribution by reporting bugs.
|
|
149
|
+
- contribution by perfecting the current code.
|
|
150
|
+
- contribution by adding new plugins.
|
|
151
|
+
- contribution by enhancing the [jwtear wiki](https://github.com/KINGSABRI/jwtear/tree/master/plugins/wiki).
|
|
152
|
+
- contribution by requesting features and/or plugins.
|
|
153
|
+
|
|
137
154
|
## License
|
|
138
155
|
|
|
139
156
|
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/bin/jwtear
CHANGED
|
@@ -17,17 +17,17 @@ module JWTear
|
|
|
17
17
|
module CLI
|
|
18
18
|
extend GLI::App
|
|
19
19
|
extend JWTear::Helpers::Utils
|
|
20
|
-
|
|
20
|
+
|
|
21
21
|
program_desc 'Parse, create and manipulate JWT tokens.'
|
|
22
22
|
|
|
23
23
|
# CLI settings
|
|
24
|
-
ENV['GLI_DEBUG'] =
|
|
25
|
-
autocomplete_commands
|
|
24
|
+
# ENV['GLI_DEBUG'] = "true" # Uncomment this line for debugging
|
|
25
|
+
autocomplete_commands true
|
|
26
26
|
subcommand_option_handling :normal
|
|
27
|
-
arguments
|
|
28
|
-
sort_help
|
|
29
|
-
wrap_help_text
|
|
30
|
-
synopsis_format
|
|
27
|
+
arguments :strict
|
|
28
|
+
sort_help :manually
|
|
29
|
+
wrap_help_text :verbatim
|
|
30
|
+
synopsis_format :full
|
|
31
31
|
|
|
32
32
|
desc 'Check current and latest version'
|
|
33
33
|
switch [:v, :version], negatable: false
|
|
@@ -40,16 +40,21 @@ module JWTear
|
|
|
40
40
|
commands_from dir if Dir.exist? dir
|
|
41
41
|
|
|
42
42
|
on_error do |exception|
|
|
43
|
+
puts banner
|
|
43
44
|
case exception
|
|
44
45
|
when GLI::MissingRequiredArgumentsException
|
|
45
46
|
print_error "Option #{exception.message}"
|
|
46
|
-
|
|
47
|
+
when OptionParser::MissingArgument
|
|
48
|
+
print_error "Option #{exception.message}"
|
|
49
|
+
when GLI::UnknownCommandArgument
|
|
50
|
+
print_error "#{exception.message}"
|
|
47
51
|
else
|
|
48
52
|
print_error "Unknown Exception:"
|
|
49
53
|
print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
|
|
50
54
|
puts exception.full_message
|
|
51
|
-
exit!
|
|
52
55
|
end
|
|
56
|
+
|
|
57
|
+
true
|
|
53
58
|
end
|
|
54
59
|
end
|
|
55
60
|
end
|
data/lib/jwtear/jwe.rb
CHANGED
|
@@ -92,6 +92,12 @@ module JWTear
|
|
|
92
92
|
exit!
|
|
93
93
|
end
|
|
94
94
|
|
|
95
|
+
# is_encrypted?
|
|
96
|
+
# to check if the given string in a JSON format or its encrypted.
|
|
97
|
+
# Used mostly with @encrypted_key as it might come in different format.
|
|
98
|
+
# @param item [JSON|STRING]
|
|
99
|
+
#
|
|
100
|
+
# @return [Boolean]
|
|
95
101
|
def is_encrypted?(item)
|
|
96
102
|
JSON.parse item
|
|
97
103
|
false
|
data/lib/jwtear/version.rb
CHANGED
data/plugins/bruteforce.rb
CHANGED
|
@@ -16,7 +16,7 @@ module JWTear
|
|
|
16
16
|
c.desc "Run verbosely."
|
|
17
17
|
c.switch [:v, :verbose], negatable: false
|
|
18
18
|
|
|
19
|
-
c.example %Q{jwtear bruteforce -t TOKEN -l rockyou.list
|
|
19
|
+
c.example %Q{jwtear bruteforce -v -t TOKEN -l rockyou.list}
|
|
20
20
|
c.example %Q{jwtear bruteforce -t TOKEN -l P@ssw0rd123}
|
|
21
21
|
|
|
22
22
|
c.action do |_, options, _|
|
|
@@ -25,7 +25,6 @@ module JWTear
|
|
|
25
25
|
bf.run(options[:verbose])
|
|
26
26
|
end
|
|
27
27
|
end
|
|
28
|
-
|
|
29
28
|
end
|
|
30
29
|
end
|
|
31
30
|
|
|
@@ -46,6 +45,7 @@ module JWTear
|
|
|
46
45
|
case
|
|
47
46
|
when keys.kind_of?(Enumerator::Lazy)
|
|
48
47
|
keys.each do |key|
|
|
48
|
+
key.valid_encoding? ? key.strip! : next
|
|
49
49
|
print_status "Trying password: #{key}" if verbose
|
|
50
50
|
|
|
51
51
|
gen_token = @token.generate(:jws, header: @jws.header.to_json, payload:@jws.payload.to_json , key: key)
|
|
@@ -56,7 +56,6 @@ module JWTear
|
|
|
56
56
|
exit!
|
|
57
57
|
else
|
|
58
58
|
print_bad "Invalid key: #{key}" if verbose
|
|
59
|
-
# puts gen_token if verbose
|
|
60
59
|
end
|
|
61
60
|
end
|
|
62
61
|
when keys.kind_of?(String)
|
|
@@ -68,20 +67,14 @@ module JWTear
|
|
|
68
67
|
else
|
|
69
68
|
print_bad "Invalid key: #{keys}"
|
|
70
69
|
end
|
|
71
|
-
|
|
72
70
|
else
|
|
73
71
|
print_error "Unknown key type"
|
|
74
72
|
raise
|
|
75
73
|
end
|
|
76
74
|
end
|
|
77
75
|
|
|
78
|
-
|
|
79
76
|
def handle_key
|
|
80
|
-
|
|
81
|
-
read_wordlist(@list)
|
|
82
|
-
else
|
|
83
|
-
@list
|
|
84
|
-
end
|
|
77
|
+
File.file?(@list) ? read_wordlist(@list) : @list
|
|
85
78
|
end
|
|
86
79
|
|
|
87
80
|
def read_wordlist(file)
|
|
@@ -89,7 +82,6 @@ module JWTear
|
|
|
89
82
|
print_status "Found '#{file}' file."
|
|
90
83
|
File.readlines(file, chomp: true)
|
|
91
84
|
.lazy
|
|
92
|
-
.map(&:strip)
|
|
93
85
|
.reject(&:empty?)
|
|
94
86
|
.reject(&:nil?)
|
|
95
87
|
else
|
|
@@ -97,7 +89,6 @@ module JWTear
|
|
|
97
89
|
exit!
|
|
98
90
|
end
|
|
99
91
|
end
|
|
100
|
-
|
|
101
92
|
end
|
|
102
93
|
end
|
|
103
94
|
|
data/plugins/wiki/README.md
CHANGED
|
@@ -164,6 +164,8 @@ This carries the same meaning as explained under JWE compact serialization, prev
|
|
|
164
164
|
|
|
165
165
|
This carries the same meaning as explained under JWE compact serialization, previously. The tag element in the JWE token carries the base64url-encoded value of the JWE authenticated tag, which is an outcome of the encryption process using an AEAD algorithm.
|
|
166
166
|
|
|
167
|
+
_source(JWT, JWS and JWE for Not So Dummies! (Part I))_
|
|
168
|
+
|
|
167
169
|
---
|
|
168
170
|
|
|
169
171
|
|
|
@@ -185,18 +187,18 @@ This carries the same meaning as explained under JWE compact serialization, prev
|
|
|
185
187
|
## Vulnerable Applications
|
|
186
188
|
|
|
187
189
|
* [Damn Vulnerable Web Services - DVWS](https://github.com/snoopysecurity/dvws)
|
|
188
|
-
* [Pentesterlab(Free)
|
|
189
|
-
* [Pentesterlab(PRO)
|
|
190
|
-
* [Pentesterlab(PRO)
|
|
191
|
-
* [Pentesterlab(PRO)
|
|
192
|
-
* [Pentesterlab(PRO)
|
|
193
|
-
* [Pentesterlab(PRO)
|
|
194
|
-
* [Pentesterlab(PRO)
|
|
195
|
-
* [Pentesterlab(PRO)
|
|
196
|
-
* [Pentesterlab(PRO)
|
|
197
|
-
* [Pentesterlab(PRO)
|
|
198
|
-
* [Pentesterlab(PRO)
|
|
199
|
-
* [Pentesterlab(PRO)
|
|
190
|
+
* [Pentesterlab(Free) - JSON Web Token I](https://pentesterlab.com/exercises/jwt/)
|
|
191
|
+
* [Pentesterlab(PRO) - JSON Web Token II](https://pentesterlab.com/exercises/jwt_ii/)
|
|
192
|
+
* [Pentesterlab(PRO) - JWT III](https://pentesterlab.com/exercises/jwt_iii/)
|
|
193
|
+
* [Pentesterlab(PRO) - JWT IV](https://pentesterlab.com/exercises/jwt_iv)
|
|
194
|
+
* [Pentesterlab(PRO) - JWT V](https://pentesterlab.com/exercises/jwt_v)
|
|
195
|
+
* [Pentesterlab(PRO) - JWT VI](https://pentesterlab.com/exercises/jwt_vi)
|
|
196
|
+
* [Pentesterlab(PRO) - JWT VII](https://pentesterlab.com/exercises/jwt_vii)
|
|
197
|
+
* [Pentesterlab(PRO) - JWT VIII](https://pentesterlab.com/exercises/jwt_viii)
|
|
198
|
+
* [Pentesterlab(PRO) - JWT X](https://pentesterlab.com/exercises/jwt_x/)
|
|
199
|
+
* [Pentesterlab(PRO) - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
|
|
200
|
+
* [Pentesterlab(PRO) - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
|
|
201
|
+
* [Pentesterlab(PRO) - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
|
|
200
202
|
* [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
|
|
201
203
|
|
|
202
204
|
## Resources
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwtear
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.
|
|
4
|
+
version: 1.0.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- KING SABRI
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-10-
|
|
11
|
+
date: 2019-10-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: gli
|
|
@@ -138,9 +138,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
138
138
|
version: '0'
|
|
139
139
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
140
140
|
requirements:
|
|
141
|
-
- - "
|
|
141
|
+
- - ">="
|
|
142
142
|
- !ruby/object:Gem::Version
|
|
143
|
-
version:
|
|
143
|
+
version: '0'
|
|
144
144
|
requirements: []
|
|
145
145
|
rubyforge_project:
|
|
146
146
|
rubygems_version: 2.7.6.2
|