RubyGems - jwtear - Versions diffs - 1.0.3 → 1.0.7 - Mend

jwtear 1.0.3 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/.github/workflows/gem-push.yml +30 -0
data/Gemfile.lock +46 -47
data/bin/jwtear +3 -1
data/jwtear.gemspec +5 -4
data/lib/jwtear/helpers/utils.rb +9 -7
data/lib/jwtear/jwe.rb +5 -5
data/lib/jwtear/jws.rb +21 -1
data/lib/jwtear/token.rb +2 -3
data/lib/jwtear/version.rb +1 -1
data/plugins/bruteforce.rb +3 -3
data/plugins/generate.rb +1 -1
data/plugins/wiki/README.md +2 -0
data/plugins/wiki.rb +2 -2
metadata +32 -24

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e525a4137016b92472239033b86cc80e65ecd8fa75e77a0cc41c8639efbe8087
-  data.tar.gz: f59b1ccf37571aafb5dbbab81513b95dffc4f1b0fcefd61a6ff4c963e164a17e
+  metadata.gz: 2681c86bec09d95803c8051feae4f7a647f2fda293425c5b01c25e8d7b97977b
+  data.tar.gz: 20db1a8f7aea19fe20e96d736e0df7b83626e73c9cf7df8e9033fbe55f9459ee
 SHA512:
-  metadata.gz: bdf15b504417a7cf3fc8653938317b72efbf60b4cccff6096f1d25f19875110d972385ba8c3834c83ed704ddf651f580608c4e36a4b782e10ec9c9ac593762b6
-  data.tar.gz: 9fae6f5523f4df145282221ac8021376c3dca4a061592ad431e6c7c7441700e3f337d03bc8074eebae5a3f8f841c9bbaad65a1774ddf32f8228c6cd113cd6f1c
+  metadata.gz: 20c40cce0192a37fc2924799597d584a891a192c81f31376f02edf24f944c22378eb253e799569fce6ea6e2926e7c15af3e5acb5672d6470f7e355f6179eb3f1
+  data.tar.gz: ca85ee1cb1b2a6a1ea6267b0a952bf5586fbf92d215069d5739d5642bf80a5456849be75ea9205869249a7cb4ee15fa94a109f4321a1dcb2cead8b790bf293bf

data/.github/workflows/gem-push.yml ADDED Viewed

@@ -0,0 +1,30 @@
+name: Push2RubyGems
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  build:
+    name: Build + Publish
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+    - name: Publish to RubyGems
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build *.gemspec
+        gem push *.gem
+      env:
+        GEM_HOST_API_KEY: "${{secrets.GEM_HOST_API_KEY}}"

data/Gemfile.lock CHANGED Viewed

@@ -1,71 +1,70 @@
 PATH
   remote: .
   specs:
-    jwtear (1.0.3)
-      gli (~> 2.19, >= 2.19.0)
-      json-jwt (~> 1.10, >= 1.10.2)
+    jwtear (1.0.7)
+      colorize (~> 0.8.1)
+      gli (~> 2.20, >= 2.20.0)
+      json-jwt (~> 1.13.0)
       jwe (~> 0.4.0)
-      tty-markdown (~> 0.6.0)
-      tty-pager (~> 0.12.1)
+      tty-markdown (~> 0.7.0)
+      tty-pager (~> 0.14.0)
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.0)
+    activesupport (6.1.4.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.1, >= 2.1.8)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.4)
-    concurrent-ruby (1.1.5)
-    equatable (0.6.1)
-    gli (2.19.0)
-    i18n (1.7.0)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.10)
+    colorize (0.8.1)
+    concurrent-ruby (1.1.9)
+    gli (2.20.1)
+    i18n (1.8.10)
       concurrent-ruby (~> 1.0)
-    json-jwt (1.10.2)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
     jwe (0.4.0)
-    kramdown (1.16.2)
-    minitest (5.12.2)
-    pastel (0.7.3)
-      equatable (~> 0.6)
+    kramdown (2.3.1)
+      rexml
+    minitest (5.14.4)
+    pastel (0.8.0)
       tty-color (~> 0.5)
-    rouge (3.11.1)
-    strings (0.1.6)
-      strings-ansi (~> 0.1)
-      unicode-display_width (~> 1.5)
+    rexml (3.2.5)
+    rouge (3.26.0)
+    strings (0.2.1)
+      strings-ansi (~> 0.2)
+      unicode-display_width (>= 1.5, < 3.0)
       unicode_utils (~> 1.4)
-    strings-ansi (0.1.0)
-    thread_safe (0.3.6)
-    tty-color (0.5.0)
-    tty-markdown (0.6.0)
-      kramdown (~> 1.16.2)
-      pastel (~> 0.7.2)
-      rouge (~> 3.3)
-      strings (~> 0.1.4)
-      tty-color (~> 0.4)
-      tty-screen (~> 0.6)
-    tty-pager (0.12.1)
-      strings (~> 0.1.4)
-      tty-screen (~> 0.6)
-      tty-which (~> 0.4)
-    tty-screen (0.7.0)
-    tty-which (0.4.1)
-    tzinfo (1.2.5)
-      thread_safe (~> 0.1)
-    unicode-display_width (1.6.0)
+    strings-ansi (0.2.0)
+    tty-color (0.6.0)
+    tty-markdown (0.7.0)
+      kramdown (>= 1.16.2, < 3.0)
+      pastel (~> 0.8)
+      rouge (~> 3.14)
+      strings (~> 0.2.0)
+      tty-color (~> 0.5)
+      tty-screen (~> 0.8)
+    tty-pager (0.14.0)
+      strings (~> 0.2.0)
+      tty-screen (~> 0.8)
+    tty-screen (0.8.1)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.0.0)
     unicode_utils (1.4.0)
-    zeitwerk (2.1.10)
+    zeitwerk (2.4.2)
 PLATFORMS
-  ruby
+  x86_64-linux
 DEPENDENCIES
   jwtear!
 BUNDLED WITH
-   2.0.2
+   2.2.25

data/bin/jwtear CHANGED Viewed

@@ -46,7 +46,7 @@ module  JWTear
       exit!
     end
-    puts banner if ARGV.empty?
+    puts banner if ARGV.empty?
     on_error do |exception|
       puts banner
       case exception
@@ -58,6 +58,8 @@ module  JWTear
         print_error "Option #{exception.message}"
       when GLI::UnknownCommandArgument
         print_error "#{exception.message}"
+      when GLI::UnknownCommand
+        print_error "#{exception.message}"
       else
         print_error "Unknown Exception:"
         print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline

data/jwtear.gemspec CHANGED Viewed

@@ -18,11 +18,12 @@ Gem::Specification.new do |spec|
   spec.executables   = ['jwtear']
   spec.require_paths = ["lib"]
-  spec.add_dependency 'gli',          '~> 2.19', '>= 2.19.0'
-  spec.add_dependency 'json-jwt',     '~> 1.10', '>= 1.10.2'
+  spec.add_dependency 'gli',          '~> 2.20', '>= 2.20.0'
+  spec.add_dependency 'json-jwt',     '~> 1.13.0'
   spec.add_dependency 'jwe',          "~> 0.4.0"
-  spec.add_dependency 'tty-markdown', "~> 0.6.0"
-  spec.add_dependency 'tty-pager',    "~> 0.12.1"
+  spec.add_dependency 'tty-markdown', "~> 0.7.0"
+  spec.add_dependency 'tty-pager',    "~> 0.14.0"
+  spec.add_dependency 'colorize',     "~> 0.8.1"
   # spec.add_development_dependency('rake', '~> 0.9.2.2')
 end

data/lib/jwtear/helpers/utils.rb CHANGED Viewed

@@ -19,32 +19,34 @@ module JWTear
       # read key as a string or from file(eg. pub_key.pem)
       def read_key(key)
-        if key
-          File.file?(key)? File.read(key) : key
+        if File.file?(File.absolute_path(key))
+          File.read(File.absolute_path(key))
+        else
+          key
         end
       end
       # check_dependencies
       #   check dependencies for plugins and throw a gentle error if not installed
       # @param deps [Hash]
-      #   The key is the library to be require, the key is the gem to be required
+      #   The key is the key is the gem name to be installed, the value is library to be require
       # @example
       #   deps = {'async-io' => 'async/ip'}
       #   check_dependencies(deps)
       #
       def check_dependencies(deps={})
-        return if deps.empty?
+        return if deps.empty? or deps.nil?
         missing = []
-        deps.each do |gem, req|
+        deps.each do |gem, lib|
           begin
-            require req
+            require lib
           rescue LoadError
             missing << gem
           end
         end
       ensure
-        unless missing.empty?
+        unless missing.nil? or missing.empty?
           print_error "Missing dependencies!"
           print_warning "Please install as follows:"
           puts "gem install #{missing.join(' ')}"

data/lib/jwtear/jwe.rb CHANGED Viewed

@@ -58,10 +58,10 @@ module JWTear
       cipher_text = Base64.urlsafe_encode64(@cipher_text, padding: false)
       authentication_tag = Base64.urlsafe_encode64(@authentication_tag, padding: false)
-      "#{header.to_json}" + "●" +
-      "#{encrypted_key}"  + "●" +
-      "#{iv}"             + "●" +
-      "#{cipher_text}"    + "●" +
+      "#{header.to_json}" + ".".bold +
+      "#{encrypted_key}"  + ".".bold +
+      "#{iv}"             + ".".bold +
+      "#{cipher_text}"    + ".".bold +
       "#{authentication_tag}"
     end
@@ -78,7 +78,7 @@ module JWTear
       key = OpenSSL::PKey::RSA.new(key)
       jwt = JSON::JWT.new(JSON.parse(payload, symbolize_names: true))
       jwt.header = JSON.parse(header, symbolize_names: true)
-      ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as json-jwt does not support A192GCM AFAIK
+      ::JWE.encrypt(payload, key, enc: jwt.header[:enc]) # I had to use this gem as jwe does not support A192GCM AFAIK
     rescue TypeError => e
       print_bad "Invalid data type."
       print_warning "Make sure your public/private key file exists."

data/lib/jwtear/jws.rb CHANGED Viewed

@@ -39,7 +39,7 @@ module JWTear
     end
     def to_json_presentation
-      "#{@header.to_json}" + "●" + "#{@payload.to_json}" + "●" + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
+      "#{@header.to_json}" + ".".bold + "#{@payload.to_json}" + ".".bold + "#{Base64.urlsafe_encode64(@signature, padding: false)}"
     end
     # generate_jws
@@ -59,6 +59,8 @@ module JWTear
       puts "Unexpected algorithm '#{jwt.header[:alg]}'."
       puts e.message
       exit!
+    rescue Exception => e
+      print_error e.message
     end
     private
@@ -73,6 +75,24 @@ module JWTear
         jwt.to_s
       else
         raise JSON::JWS::UnexpectedAlgorithm.new("Encryption algorithm '#{jwt.alg}' requires key.") if key.nil?
+        alg = jwt.alg.upcase
+        case
+        when alg.start_with?("HS")
+          key
+        when alg.start_with?("RS")
+          key = OpenSSL::PKey::RSA.new(key)
+        when alg.start_with?("PS")
+          key = OpenSSL::PKey::RSA.new(key)
+        when alg.start_with?("ES")
+          # key = OpenSSL::PKey::RSA.new(key)
+          print_error("Signing for ECDSA-SHA is not yet implemented")
+          print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+        else
+          print_warning("Undefined algorithm. This might generate a wrong token")
+          print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
+          key
+        end
+        jwt.alg = alg.to_sym
         jwt.sign(key).to_s
       end
     end

data/lib/jwtear/token.rb CHANGED Viewed

@@ -23,10 +23,9 @@ module JWTear
         @jwe.parse(token)
       end
     rescue Exception => e
-      print_error "Unknown Exception: #{method(__method__).owner}"
+      print_error "#{method(__method__).owner}##{__method__} : Unknown Exception"
       print_warning 'Please report the issue to: https://github.com/KINGSABRI/jwtear/issues'.underline
-      puts e
-      puts e.backtrace
+      puts e.full_message
       exit!
     end

data/lib/jwtear/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module JWTear
-  VERSION = "1.0.3"
+  VERSION = "1.0.7"
 end

data/plugins/bruteforce.rb CHANGED Viewed

@@ -33,7 +33,7 @@ module JWTear
     include JWTear::Helpers::Utils
     def initialize(token, list)
-      deps = {'async-io' => 'async/io'}
+      deps = {}
       check_dependencies(deps)
       @token = Token.new
       @jws   = @token.parse(token)
@@ -48,7 +48,7 @@ module JWTear
           key.valid_encoding? ? key.strip! : next
           print_status "Trying password: #{key}" if verbose
-          gen_token = @token.generate(:jws, header: @jws.header.to_json, payload:@jws.payload.to_json , key: key)
+          gen_token = @token.generate(:jws, header: @jws.header.to_json, payload: @jws.payload.to_json , key: key)
           sig = gen_token.split('.').last
           if sig == Base64.urlsafe_encode64(@jws.signature, padding: false)
             print_good "Password found: #{key}"
@@ -59,7 +59,7 @@ module JWTear
           end
         end
       when keys.kind_of?(String)
-        gen_token = @token.generate(:jws, header: @jws.header.to_json, payload:@jws.payload.to_json , key: keys)
+        gen_token = @token.generate(:jws, header: @jws.header.to_json, payload: @jws.payload.to_json , key: keys)
         sig = gen_token.split('.').last
         if sig == Base64.urlsafe_encode64(@jws.signature, padding: false)
           print_good "Password found: #{keys}"

data/plugins/generate.rb CHANGED Viewed

@@ -20,7 +20,7 @@ module JWTear
       jws_cmd.desc "Key as a password string or a file public key. eg. P@ssw0rd  | eg. public_key.pem"
       jws_cmd.arg_name 'PASSWORD|PUB_KEY_FILE'
       jws_cmd.flag [:k, :key]
-      jws_cmd.action do |global, options, args|
+      jws_cmd.action do |_, options, _|
         gen = Generate.new
         puts gen.jws_token(options[:header], options[:payload], read_key(options[:key]))
       end

data/plugins/wiki/README.md CHANGED Viewed

@@ -198,6 +198,7 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
 * [Pentesterlab(PRO)  - JWT X](https://pentesterlab.com/exercises/jwt_x/)
 * [Pentesterlab(PRO)  - JWT XI](https://pentesterlab.com/exercises/jwt_xi)
 * [Pentesterlab(PRO)  - JWT XII](https://pentesterlab.com/exercises/jwt_xii)
+* [Pentesterlab(PRO)  - JWT XIII](https://pentesterlab.com/exercises/jwt_iii)
 * [Pentesterlab(PRO)  - JSON Web Encryption](https://pentesterlab.com/exercises/jwe)
 * [Vulnerable JWT implementations](https://github.com/Sjord/jwtdemo)
@@ -212,3 +213,4 @@ _source(JWT, JWS and JWE for Not So Dummies! (Part I))_
 * [Damn Vulnerable Service](https://github.com/snoopysecurity/dvws)
 * [CSRF JWT redirect leak](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
 * [Critical vulnerabilities in JSON Web Token libraries](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/)
+* [JWT Attack Playbook](https://github.com/ticarpi/jwt_tool/wiki)

data/plugins/wiki.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module JWTear
     extend JWTear::Helpers::Utils
     desc "A JWT wiki for hackers."
-    long_desc "Wiki wiki Wiki wiki Wiki wiki Wiki wiki Wiki wiki Wiki wiki"
+    long_desc "A JWT wiki contains introduction, attack ideas, vulnerable application links and resources."
     command [:wiki, :w] do |c|
       c.desc "Show the wiki page on terminal"
@@ -34,7 +34,7 @@ module JWTear
         require 'open-uri'
         print_status 'Updating wiki'
         current_wiki = File.expand_path(File.join(__dir__ ,  'wiki', 'README.md'))
-        updated_wiki = open('https://raw.githubusercontent.com/KINGSABRI/jwtear/master/plugins/wiki/README.md').read
+        updated_wiki = URI.open('https://raw.githubusercontent.com/KINGSABRI/jwtear/master/plugins/wiki/README.md').read
         if File.exists?(current_wiki) && File.writable?(current_wiki)
           File.write(current_wiki, updated_wiki)
         else

metadata CHANGED Viewed

@@ -1,55 +1,49 @@
 --- !ruby/object:Gem::Specification
 name: jwtear
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.7
 platform: ruby
 authors:
 - KING SABRI
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-07 00:00:00.000000000 Z
+date: 2021-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gli
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.19'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.19.0
+        version: 2.20.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.20'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.19'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 2.19.0
+        version: 2.20.0
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.20'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.10.2
+        version: 1.13.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.10.2
+        version: 1.13.0
 - !ruby/object:Gem::Dependency
   name: jwe
   requirement: !ruby/object:Gem::Requirement
@@ -70,28 +64,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.6.0
+        version: 0.7.0
 - !ruby/object:Gem::Dependency
   name: tty-pager
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.14.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.14.0
+- !ruby/object:Gem::Dependency
+  name: colorize
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.8.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.12.1
+        version: 0.8.1
 description: JWTear, a modular command-line tool to parse, create and manipulate JWT
   tokens for security testing purposes.
 email:
@@ -101,6 +109,7 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/gem-push.yml"
 - ".gitignore"
 - CODE_OF_CONDUCT.md
 - Gemfile
@@ -142,8 +151,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6.2
+rubygems_version: 3.0.3.1
 signing_key:
 specification_version: 4
 summary: JWTear, a modular command-line tool to parse, create and manipulate JWT tokens