Class: Msf::Exploit::Remote::HTTP::JWT

Inherits:
Object
  • Object
show all
Defined in:
lib/msf/core/exploit/remote/http/jwt.rb

Overview

Minimal JWT wrapper which only decodes the base64 header/claim values, and doesn’t encode/validate JWT tokens.

Note that swapping this out for a third-party gem will work, but there may be potential security issues with the key id (kid) claim etc, which would need to be reviewed.

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(payload:, header:, signature:) ⇒ JWT

Returns a new instance of JWT.



10
11
12
13
14
# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 10

def initialize(payload:, header:, signature:)
  @payload = payload
  @header = header
  @signature = signature
end

Instance Attribute Details

#headerObject (readonly)

Returns the value of attribute header.



8
9
10
# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 8

def header
  @header
end

#payloadObject (readonly)

Returns the value of attribute payload.



8
9
10
# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 8

def payload
  @payload
end

#signatureObject (readonly)

Returns the value of attribute signature.



8
9
10
# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 8

def signature
  @signature
end

Class Method Details

.decode(jwt, _key = nil, _verify = true, _options = {}) ⇒ Object

Raises:

  • (ArgumentError)


20
21
22
23
24
25
26
27
28
# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 20

def self.decode(jwt, _key = nil, _verify = true, _options = {})
  header, payload, signature = jwt.split('.', 3)
  raise ArgumentError, 'Invalid JWT format' if header.nil? || payload.nil? || signature.nil?

  header = JSON.parse(Rex::Text.decode_base64(header))
  payload = JSON.parse(Rex::Text.decode_base64(payload))

  self.new(payload: payload, header: header, signature: signature)
end

.encode(payload, key, algorithm = 'HS256', header_fields = {}) ⇒ Object

Raises:

  • (NotImplementedError)


16
17
18
# File 'lib/msf/core/exploit/remote/http/jwt.rb', line 16

def self.encode(payload, key, algorithm = 'HS256', header_fields = {})
  raise NotImplementedError
end