jwtear 1.0.1.pre → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79f49f692fd3613b91dfe70d89c5724090d2a1157b6b220a27e355340496f715
-  data.tar.gz: 159a436bb626c60bfe6f6d218a5cd44961e8c470c406f7e1d95f6a07c1682767
+  metadata.gz: 214465c3eb8ab23270f4caa51276a8af5814821515d77a29e7b17b57106a27d1
+  data.tar.gz: b9ecca972fcaa68d4729b1952b66f30aa9c6745070eb4a7261007162ed843277
 SHA512:
-  metadata.gz: 453c4aa04fa178ecde43eee51f00703f793aa3db1a6fb624c621b3e7f603ab9d761c66d719eb0a2af22a1f239104015dd158908188c53eff844828bba44f2057
-  data.tar.gz: 4ff26ab632dfc2e432dce872df5cc846f8bc97b0181ae35c6e8b26593006033f728f2368f97325edbe091c56d97b29c28779b39d0746e0f544f8cd1a70a20238
+  metadata.gz: c4af5ebfe24cef925c15c87672b1572d37858a079d0b1d4044966999637597ff699c7a1be1a50a228329619c64c9ba003c76c9dcfc8b6262647493485c23164a
+  data.tar.gz: 97544a55bc3b65a2342f083dab6a877ae4db6285d4a6187a8116ac10ce5d9f24b72ed488912a0c945c5eae04c0a3384d5f0e5f939ba482d95d00eac6dd76e5aa

data/.github/workflows/gem-push.yml

@@ -0,0 +1,42 @@
+name: Ruby Gem
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+
+    - name: Publish to GPR
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:github: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
+      env:
+        GEM_HOST_API_KEY: "Bearer ${{secrets.GITHUB_TOKEN}}"
+        OWNER: ${{ github.repository_owner }}
+
+    - name: Publish to RubyGems
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push *.gem
+      env:
+        GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}"

data/.gitignore

@@ -6,3 +6,5 @@
 /pkg/
 /spec/reports/
 /tmp/
+.idea/
+*.gem

data/Gemfile.lock

@@ -1,9 +1,10 @@
 PATH
   remote: .
   specs:
-    jwtear (1.0.0)
+    jwtear (1.0.6)
+      colorize (~> 0.8.1)
       gli (~> 2.19, >= 2.19.0)
-      json-jwt (~> 1.10, >= 1.10.2)
+      json-jwt (~> 1.11, >= 1.11.0)
       jwe (~> 0.4.0)
       tty-markdown (~> 0.6.0)
       tty-pager (~> 0.12.1)
@@ -11,37 +12,38 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.0)
+    activesupport (6.0.3.4)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.1, >= 2.1.8)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.4)
-    concurrent-ruby (1.1.5)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.8)
+    colorize (0.8.1)
+    concurrent-ruby (1.1.7)
     equatable (0.6.1)
-    gli (2.19.0)
-    i18n (1.7.0)
+    gli (2.19.2)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
-    json-jwt (1.10.2)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
     jwe (0.4.0)
     kramdown (1.16.2)
-    minitest (5.12.2)
-    pastel (0.7.3)
+    minitest (5.14.2)
+    pastel (0.7.4)
       equatable (~> 0.6)
       tty-color (~> 0.5)
-    rouge (3.11.1)
-    strings (0.1.6)
+    rouge (3.25.0)
+    strings (0.1.8)
       strings-ansi (~> 0.1)
       unicode-display_width (~> 1.5)
       unicode_utils (~> 1.4)
-    strings-ansi (0.1.0)
+    strings-ansi (0.2.0)
     thread_safe (0.3.6)
-    tty-color (0.5.0)
+    tty-color (0.6.0)
     tty-markdown (0.6.0)
       kramdown (~> 1.16.2)
       pastel (~> 0.7.2)
@@ -53,13 +55,13 @@ GEM
       strings (~> 0.1.4)
       tty-screen (~> 0.6)
       tty-which (~> 0.4)
-    tty-screen (0.7.0)
-    tty-which (0.4.1)
-    tzinfo (1.2.5)
+    tty-screen (0.8.1)
+    tty-which (0.4.2)
+    tzinfo (1.2.8)
       thread_safe (~> 0.1)
-    unicode-display_width (1.6.0)
+    unicode-display_width (1.7.0)
     unicode_utils (1.4.0)
-    zeitwerk (2.1.10)
+    zeitwerk (2.4.1)
 
 PLATFORMS
   ruby
@@ -68,4 +70,4 @@ DEPENDENCIES
   jwtear!
 
 BUNDLED WITH
-   2.0.2
+   2.1.4

data/README.md

@@ -1,19 +1,22 @@
 # Jwtear
-A modular Command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes. 
+A modular command-line tool to parse, create and manipulate JSON Web Token(JWT) tokens for security testing purposes. 
 
 ## Features
 - Complete modularity.
     - All commands are plugins.
-    - Easy to add a new plugins.
+    - Easy to add new plugins.
     - Support JWS and JWE tokens.  
 - Easy interface for plugins. (follow the template example)
+- Flexible
+- token generation based on production-class libraries (e.g. json-jwt, jwe).
+
 
 ### Available plugins
 - Parse: parses jwt tokens.
 - jws: manipulate and generate JWS tokens.
 - jwe: manipulate and generate JWE tokens.
 - bruteforce: brutefocing JWS signing key
-- wiki: contains information about JWT, attacks ideas, references.
+- wiki: contains offline information about JWT, attacks ideas, references.
 
 ## Installation
 
@@ -81,7 +84,8 @@ plugins are defined as subcommands. Each subcommand may have one or more argumen
 ```
 $ jwtear parse -t eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.J8SS8VKlI2yV47C4BtfYukWPx_2welF34Mz7l-MNmkE
 $ jwtear jws -h '{"alg":"HS256","typ":"JWT"}' -p '{"user":"admin"}' -k p@ss0rd123
-$ jwtear bruteforce -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list -v
+$ jwtear jwe -header '{"enc":"A192GCM","typ":"JWT"}' --payload '{"user":"admin"}' --key public.pem 
+$ jwtear bruteforce -v -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjpudWxsfQ.Tr0VvdP6rVBGBGuI_luxGCOaz6BbhC6IxRTlKOW8UjM -l ~/tmp/pass.list
 ```
 
 ## Add plugin
@@ -134,6 +138,19 @@ Once the missing dependencies are installed by the user, the `check_dependencies
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/jwtear.
 
+1. Fork it ( https://github.com/KINGSABRI/jwtear/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request
+
+### Areas to contribute
+- contribution by reporting bugs.
+- contribution by perfecting the current code.
+- contribution by adding new plugins.
+- contribution by enhancing the [jwtear wiki](https://github.com/KINGSABRI/jwtear/tree/master/plugins/wiki).
+- contribution by requesting features and/or plugins.
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/bin/jwtear

@@ -17,17 +17,17 @@ module  JWTear
   module CLI
     extend GLI::App
     extend JWTear::Helpers::Utils
-    puts banner
+
     program_desc 'Parse, create and manipulate JWT tokens.'
 
     # CLI settings
-    ENV['GLI_DEBUG'] = "true"  # Uncomment this line for debugging
-    autocomplete_commands true
+    # ENV['GLI_DEBUG'] =      "true"  # Uncomment this line for debugging
+    autocomplete_commands      true
     subcommand_option_handling :normal
-    arguments :strict
-    sort_help :manually
-    wrap_help_text :verbatim #:to_terminal
-    synopsis_format :full #:compact
+    arguments                  :strict
+    sort_help                  :manually
+    wrap_help_text             :verbatim
+    synopsis_format            :full
 
     desc 'Check current and latest version'
     switch [:v, :version],  negatable: false
@@ -39,17 +39,34 @@ module  JWTear
     dir = File.expand_path(File.join(File.dirname(__FILE__), ['..', 'plugins']))
     commands_from dir if Dir.exist? dir
 
+    trap("INT") do
+      puts
+      print_error "User interruption!"
+      print_warning "Exiting jwtear process."
+      exit!
+    end
+
+    puts banner if ARGV.empty?
     on_error do |exception|
+      puts banner
       case exception
+      when GLI::UnknownGlobalArgument
+        print_error "#{exception.message}"
       when GLI::MissingRequiredArgumentsException
         print_error "Option #{exception.message}"
-        exit!
+      when OptionParser::MissingArgument
+        print_error "Option #{exception.message}"
+      when GLI::UnknownCommandArgument
+        print_error "#{exception.message}"
+      when GLI::UnknownCommand
+        print_error "#{exception.message}"
       else
         print_error "Unknown Exception:"
         print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
         puts exception.full_message
-        exit!
       end
+
+      true
     end
   end
 end

data/jwtear.gemspec

@@ -19,10 +19,11 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'gli',          '~> 2.19', '>= 2.19.0'
-  spec.add_dependency 'json-jwt',     '~> 1.10', '>= 1.10.2'
+  spec.add_dependency 'json-jwt',     '~> 1.11', '>= 1.11.0'
   spec.add_dependency 'jwe',          "~> 0.4.0"
   spec.add_dependency 'tty-markdown', "~> 0.6.0"
   spec.add_dependency 'tty-pager',    "~> 0.12.1"
+  spec.add_dependency 'colorize',     "~> 0.8.1"
 
   # spec.add_development_dependency('rake', '~> 0.9.2.2')
 end

data/lib/jwtear/helpers/utils.rb

@@ -19,26 +19,28 @@ module JWTear
 
       # read key as a string or from file(eg. pub_key.pem)
       def read_key(key)
-        if key
-          File.file?(key)? File.read(key) : key
+        if File.file?(File.absolute_path(key))
+          File.read(File.absolute_path(key))
+        else
+          key
         end
       end
 
       # check_dependencies
       #   check dependencies for plugins and throw a gentle error if not installed
       # @param deps [Hash]
-      #   The key is the library to be require, the key is the gem to be required
+      #   The key is the key is the gem name to be installed, the value is library to be require
       # @example
       #   deps = {'async-io' => 'async/ip'}
       #   check_dependencies(deps)
       #
       def check_dependencies(deps={})
-        return if deps.empty?
+        return if deps.empty? or deps.nil?
         missing = []
 
-        deps.each do |gem, req|
+        deps.each do |gem, lib|
           begin
-            require req
+            require lib
           rescue LoadError
             missing << gem
           end

data/lib/jwtear/jwe.rb

@@ -58,10 +58,10 @@ module JWTear
       cipher_text = Base64.urlsafe_encode64(@cipher_text, padding: false)
       authentication_tag = Base64.urlsafe_encode64(@authentication_tag, padding: false)
 
-      "#{header.to_json}" + "●" +
-      "#{encrypted_key}"  + "●" +
-      "#{iv}"             + "●" +
-      "#{cipher_text}"    + "●" +
+      "#{header.to_json}" + ".".bold +
+      "#{encrypted_key}"  + ".".bold +
+      "#{iv}"             + ".".bold +
+      "#{cipher_text}"    + ".".bold +
       "#{authentication_tag}"
     end
 
@@ -78,7 +78,7 @@ module JWTear
       key = OpenSSL::PKey::RSA.new(key)
       jwt = JSON::JWT.new(JSON.parse(payload, symbolize_names: true))
       jwt.header = JSON.parse(header, symbolize_names: true)
-      ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as json-jwt does not support A192GCM AFAIK
+      ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as jwe does not support A192GCM AFAIK
     rescue TypeError => e
       print_bad "Invalid data type."
       print_warning "Make sure your public/private key file exists."
@@ -92,6 +92,12 @@ module JWTear
       exit!
     end
 
+    # is_encrypted?
+    #   to check if the given string in a JSON format or its encrypted.
+    #   Used mostly with @encrypted_key as it might come in different format.
+    # @param item [JSON|STRING]
+    #
+    # @return [Boolean]
     def is_encrypted?(item)
       JSON.parse item
       false

data/lib/jwtear/jws.rb

@@ -39,7 +39,7 @@ module JWTear
     end
 
     def to_json_presentation
-      "#{@header.to_json}" + "●" + "#{@payload.to_json}" + "●" + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
+      "#{@header.to_json}" + ".".bold + "#{@payload.to_json}" + ".".bold + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
     end
 
     # generate_jws
@@ -59,6 +59,8 @@ module JWTear
       puts "Unexpected algorithm '#{jwt.header[:alg]}'."
       puts e.message
       exit!
+    rescue Exception => e
+      print_error e.message
     end
     
     private
@@ -73,6 +75,24 @@ module JWTear
         jwt.to_s
       else
         raise JSON::JWS::UnexpectedAlgorithm.new("Encryption algorithm '#{jwt.alg}' requires key.") if key.nil?
+        alg = jwt.alg.upcase
+        case
+        when alg.start_with?("HS")
+          key
+        when alg.start_with?("RS")
+          key = OpenSSL::PKey::RSA.new(key)
+        when alg.start_with?("PS")
+          key = OpenSSL::PKey::RSA.new(key)
+        when alg.start_with?("ES")
+          # key = OpenSSL::PKey::RSA.new(key)
+          print_error("Signing for ECDSA-SHA is not yet implemented")
+          print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+        else
+          print_warning("Undefined algorithm. This might generate a wrong token")
+          print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+          key
+        end
+        jwt.alg = alg.to_sym
         jwt.sign(key).to_s
       end
     end

data/lib/jwtear/token.rb

@@ -23,10 +23,9 @@ module JWTear
         @jwe.parse(token)
       end
     rescue Exception => e
-      print_error "Unknown Exception: #{method(__method__).owner}"
+      print_error "#{method(__method__).owner}##{__method__} : Unknown Exception"
       print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
-      puts e
-      puts e.backtrace
+      puts e.full_message
       exit!
     end
 

data/lib/jwtear/version.rb

@@ -1,3 +1,3 @@
 module JWTear
-  VERSION = "1.0.1.pre"
+  VERSION = "1.0.6"
 end

data/plugins/bruteforce.rb

@@ -16,7 +16,7 @@ module JWTear
       c.desc "Run verbosely."
       c.switch [:v, :verbose], negatable: false
 
-      c.example  %Q{jwtear bruteforce -t TOKEN -l rockyou.list -v}
+      c.example  %Q{jwtear bruteforce -v -t TOKEN -l rockyou.list}
       c.example  %Q{jwtear bruteforce -t TOKEN -l P@ssw0rd123}
 
       c.action do |_, options, _|
@@ -25,7 +25,6 @@ module JWTear
           bf.run(options[:verbose])
         end
       end
-
     end
   end
 
@@ -34,7 +33,7 @@ module JWTear
     include JWTear::Helpers::Utils
 
     def initialize(token, list)
-      deps = {'async-io' => 'async/io'}
+      deps = {}
       check_dependencies(deps)
       @token = Token.new
       @jws   = @token.parse(token)
@@ -46,9 +45,10 @@ module JWTear
       case
       when keys.kind_of?(Enumerator::Lazy)
         keys.each do |key|
+          key.valid_encoding? ? key.strip! : next
           print_status "Trying password: #{key}" if verbose
 
-          gen_token = @token.generate(:jws, header: @jws.header.to_json, payload:@jws.payload.to_json , key: key)
+          gen_token = @token.generate(:jws, header: @jws.header.to_json, payload: @jws.payload.to_json , key: key)
           sig = gen_token.split('.').last
           if sig == Base64.urlsafe_encode64(@jws.signature, padding: false)
             print_good "Password found: #{key}"
@@ -56,11 +56,10 @@ module JWTear
             exit!
           else
             print_bad "Invalid key: #{key}" if verbose
-            # puts gen_token if verbose
           end
         end
       when keys.kind_of?(String)
-        gen_token = @token.generate(:jws, header: @jws.header.to_json, payload:@jws.payload.to_json , key: keys)
+        gen_token = @token.generate(:jws, header: @jws.header.to_json, payload: @jws.payload.to_json , key: keys)
         sig = gen_token.split('.').last
         if sig == Base64.urlsafe_encode64(@jws.signature, padding: false)
           print_good "Password found: #{keys}"
@@ -68,20 +67,14 @@ module JWTear
         else
           print_bad "Invalid key: #{keys}"
         end
-
       else
         print_error "Unknown key type"
         raise
       end
     end
 
-
     def handle_key
-      if File.file?(@list)
-        read_wordlist(@list)
-      else
-        @list
-      end
+      File.file?(@list) ? read_wordlist(@list) : @list
     end
 
     def read_wordlist(file)
@@ -89,7 +82,6 @@ module JWTear
         print_status "Found '#{file}' file."
         File.readlines(file, chomp: true)
             .lazy
-            .map(&:strip)
             .reject(&:empty?)
             .reject(&:nil?)
       else
@@ -97,7 +89,6 @@ module JWTear
         exit!
       end
     end
-
   end
 end
 

data/plugins/generate.rb

@@ -20,7 +20,7 @@ module JWTear
       jws_cmd.desc "Key as a password string or a file public key. eg. P@ssw0rd  | eg. public_key.pem"
       jws_cmd.arg_name 'PASSWORD|PUB_KEY_FILE'
       jws_cmd.flag [:k, :key]
-      jws_cmd.action do |global, options, args|
+      jws_cmd.action do |_, options, _|
         gen = Generate.new
         puts gen.jws_token(options[:header], options[:payload], read_key(options[:key]))
       end

data/plugins/wiki.rb

@@ -5,7 +5,7 @@ module JWTear
     extend JWTear::Helpers::Utils
 
     desc "A JWT wiki for hackers."
-    long_desc "Wiki wiki Wiki wiki Wiki wiki Wiki wiki Wiki wiki Wiki wiki"
+    long_desc "A JWT wiki contains introduction, attack ideas, vulnerable application links and resources."
     command [:wiki, :w] do |c|
 
       c.desc "Show the wiki page on terminal"

data/plugins/wiki/README.md

@@ -164,6 +164,8 @@ This carries the same meaning as explained under JWE compact serialization, prev
 
 This carries the same meaning as explained under JWE compact serialization, previously. The tag element in the JWE token carries the base64url-encoded value of the JWE authenticated tag, which is an outcome of the encryption process using an AEAD algorithm.
 
+_source(JWT, JWS and JWE for Not So Dummies! (Part I))_
+
 ---
 
 
@@ -185,18 +187,19 @@ This carries the same meaning as explained under JWE compact serialization, prev
 ## Vulnerable Applications
 
 * [Damn Vulnerable Web Services - DVWS](https://github.com/snoopysecurity/dvws)
-* [Pentesterlab(Free)| JSON Web Token I](https://pentesterlab.com/exercises/jwt/)
-* [Pentesterlab(PRO) | JSON Web Token II](https://pentesterlab.com/exercises/jwt_ii/)
-* [Pentesterlab(PRO) | JWT III](https://pentesterlab.com/exercises/jwt_iii/)
-* [Pentesterlab(PRO) | JWT IV](https://pentesterlab.com/exercises/jwt_iv)
-* [Pentesterlab(PRO) | JWT V](https://pentesterlab.com/exercises/jwt_v)
-* [Pentesterlab(PRO) | JWT VI](https://pentesterlab.com/exercises/jwt_vi)
-* [Pentesterlab(PRO) | JWT VII](https://pentesterlab.com/exercises/jwt_vii)
-* [Pentesterlab(PRO) | JWT VIII](https://pentesterlab.com/exercises/jwt_viii)
-* [Pentesterlab(PRO) | JWT X](https://pentesterlab.com/exercises/jwt_x/)
-* [Pentesterlab(PRO) | JWT XI](https://pentesterlab.com/exercises/jwt_xi)
-* [Pentesterlab(PRO) | JWT XII](https://pentesterlab.com/exercises/jwt_xii)
-* [Pentesterlab(PRO) | JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
+* [Pentesterlab(Free) - JSON Web Token I](https://pentesterlab.com/exercises/jwt/)
+* [Pentesterlab(PRO)  - JSON Web Token II](https://pentesterlab.com/exercises/jwt_ii/)
+* [Pentesterlab(PRO)  - JWT III](https://pentesterlab.com/exercises/jwt_iii/)
+* [Pentesterlab(PRO)  - JWT IV](https://pentesterlab.com/exercises/jwt_iv)
+* [Pentesterlab(PRO)  - JWT V](https://pentesterlab.com/exercises/jwt_v)
+* [Pentesterlab(PRO)  - JWT VI](https://pentesterlab.com/exercises/jwt_vi)
+* [Pentesterlab(PRO)  - JWT VII](https://pentesterlab.com/exercises/jwt_vii)
+* [Pentesterlab(PRO)  - JWT VIII](https://pentesterlab.com/exercises/jwt_viii)
+* [Pentesterlab(PRO)  - JWT X](https://pentesterlab.com/exercises/jwt_x/)
+* [Pentesterlab(PRO)  - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
+* [Pentesterlab(PRO)  - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
+* [Pentesterlab(PRO)  - JWT XIII](https://pentesterlab.com/exercises/jwt_iii)
+* [Pentesterlab(PRO)  - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
 * [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
 
 ## Resources
@@ -210,3 +213,4 @@ This carries the same meaning as explained under JWE compact serialization, prev
 * [Damn Vulnerable Service](https://github.com/snoopysecurity/dvws)
 * [CSRF JWT redirect leak](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
 * [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
+* [JWT Attack Playbook](https://github.com/ticarpi/jwt_tool/wiki)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwtear
 version: !ruby/object:Gem::Version
-  version: 1.0.1.pre
+  version: 1.0.6
 platform: ruby
 authors:
 - KING SABRI
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-04 00:00:00.000000000 Z
+date: 2021-02-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
@@ -36,20 +36,20 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.11'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.2
+        version: 1.11.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.11'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.10.2
+        version: 1.11.0
 - !ruby/object:Gem::Dependency
   name: jwe
   requirement: !ruby/object:Gem::Requirement
@@ -92,6 +92,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.12.1
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.1
 description: JWTear, a modular command-line tool to parse, create and manipulate JWT
   tokens for security testing purposes.
 email:
@@ -101,6 +115,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/gem-push.yml"
 - ".gitignore"
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -138,12 +153,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: JWTear, a modular command-line tool to parse, create and manipulate JWT tokens