Class: Msf::Exploit::Remote::HTTP::JWT

Inherits:

Object

• Object
• Msf::Exploit::Remote::HTTP::JWT

Defined in:

lib/msf/core/exploit/remote/http/jwt.rb

Overview

Minimal JWT wrapper which only decodes the base64 header/claim values, and doesn’t encode/validate JWT tokens.

Note that swapping this out for a third-party gem will work, but there may be potential security issues with the key id (kid) claim etc, which would need to be reviewed.

Instance Attribute Summary

• #header ⇒ Object readonly

  Returns the value of attribute header.

• #payload ⇒ Object readonly

  Returns the value of attribute payload.

• #signature ⇒ Object readonly

  Returns the value of attribute signature.

Class Method Summary

• .decode(jwt, _key = nil, _verify = true, _options = {}) ⇒ Object
• .encode(payload, key, algorithm = 'HS256', header_fields = {}) ⇒ Object

Instance Method Summary

• #initialize(payload:, header:, signature:) ⇒ JWT constructor

  A new instance of JWT.

Constructor Details

#initialize(payload:, header:, signature:) ⇒ JWT

Returns a new instance of JWT.

# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 10

def initialize(payload:, header:, signature:)
  @payload = payload
  @header = header
  @signature = signature
end

Instance Attribute Details

#header ⇒ Object (readonly)

Returns the value of attribute header.

# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 8

def header
  @header
end

#payload ⇒ Object (readonly)

Returns the value of attribute payload.

# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 8

def payload
  @payload
end

#signature ⇒ Object (readonly)

Returns the value of attribute signature.

# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 8

def signature
  @signature
end

Class Method Details

.decode(jwt, _key = nil, _verify = true, _options = {}) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 20

def self.decode(jwt, _key = nil, _verify = true, _options = {})
  header, payload, signature = jwt.split('.', 3)
  raise ArgumentError, 'Invalid JWT format' if header.nil? || payload.nil? || signature.nil?

  header = JSON.parse(Rex::Text.decode_base64(header))
  payload = JSON.parse(Rex::Text.decode_base64(payload))

  self.new(payload: payload, header: header, signature: signature)
end

.encode(payload, key, algorithm = 'HS256', header_fields = {}) ⇒ Object

Raises:

• (NotImplementedError)

# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 16

def self.encode(payload, key, algorithm = 'HS256', header_fields = {})
  raise NotImplementedError
end