Unfurl v2023.09 Released!
Unfurl v2023.09 adds parsing for JWTs, URLs with encoded DoH (DNS over HTTPS) requests, and more Mastodon servers.
A new Unfurl release is here! v2023.09 adds new features and some fixes. The release adds:
- Parsing of JWTs (JSON Web Tokens)
- Parsing of DoH (DNS over HTTPS) URLs
- More recognized Mastodon servers
This is a relatively small release; but in addition to the new features, it fixes a few bugs (see the full changelog on the GitHub release page). Get it now, or read on for more details about the new features!
Parse JSON Web Tokens (JWTs)
JSON Web Tokens (JWTs) are used frequency for authorization and signing purposes. I won't go into much details about their structure here (check this out for an introduction), but just say at the highest level JWTs have three parts: header, payload, and signature. Each of these is base64-encoded, and separated by a .
. Unfurl first splits a JWT into those three components, then base64-decodes the header and payload, then parses the resulting JSON objects. While Unfurl could parse all that in one step, it does it in three steps to keep with the "show your work" spirit of the tool.
Here's Unfurl parsing a simple JWT (from Wikipedia):
I encounter these often when looking through links in emails. Here's another example, but with a lot more other parsers as well:
Don't you just love how ridiculous email links have gotten? This one wasn't even malicious.
DNS over HTTPS (DoH)
I was reading a SANS Internet Storm Center post by Johannes Ullrich a while ago about decoding DoH requests in their honeypot and found it interesting. I knew a little about DoH, but hadn't seen URLs contained encoded requests before. I created an Unfurl parser for them; see an example below:
More Mastodon Servers
Unfurl has parsed timestamps from Mastodon's Toots for a long time, but it previously recognized a limited number of Mastodon servers. With the uptake of Mastodon usage, I've updated the list of Mastodon servers Unfurl knows about to nearly 250.
Get it!
Those are the major items in this Unfurl release. There are more changes that didn't make it into the blog post; check out the release notes for more. To get Unfurl with these latest updates, you can:
- use it online at dfir.blog/unfurl or unfurl.link
- if using pip,
pip install dfir-unfurl -U
will upgrade your local Unfurl to the latest - View the release on GitHub
All features work in both the web UI and command line versions (unfurl_app.py & unfurl_cli.py).