A new Unfurl release is here! v2023.09 adds new features and some fixes. The release adds:

  • Parsing of JWTs (JSON Web Tokens)
  • Parsing of DoH (DNS over HTTPS) URLs
  • More recognized Mastodon servers

This is a relatively small release; but in addition to the new features, it fixes a few bugs (see the full changelog on the GitHub release page). Get it now, or read on for more details about the new features!

Parse JSON Web Tokens (JWTs)

JSON Web Tokens (JWTs) are used frequency for authorization and signing purposes. I won't go into much details about their structure here (check this out for an introduction), but just say at the highest level JWTs have three parts: header, payload, and signature. Each of these is base64-encoded, and separated by a .. Unfurl first splits a JWT into those three components, then base64-decodes the header and payload, then parses the resulting JSON objects. While Unfurl could parse all that in one step, it does it in three steps to keep with the "show your work" spirit of the tool.

Here's Unfurl parsing a simple JWT (from Wikipedia):

Unfurl parsing a simple JWT

I encounter these often when looking through links in emails. Here's another example, but with a lot more other parsers as well:

Unfurl parsing an email link with a JWT

Don't you just love how ridiculous email links have gotten? This one wasn't even malicious.

DNS over HTTPS (DoH)

I was reading a SANS Internet Storm Center post by Johannes Ullrich a while ago about decoding DoH requests in their honeypot and found it interesting. I knew a little about DoH, but hadn't seen URLs contained encoded requests before. I created an Unfurl parser for them; see an example below:

Unfurl parsing a URL containing an encoded DoH message

More Mastodon Servers

Unfurl has parsed timestamps from Mastodon's Toots for a long time, but it previously recognized a limited number of Mastodon servers. With the uptake of Mastodon usage, I've updated the list of Mastodon servers Unfurl knows about to nearly 250.

Get it!

Those are the major items in this Unfurl release. There are more changes that didn't make it into the blog post; check out the release notes for more. To get Unfurl with these latest updates, you can:

All features work in both the web UI and command line versions (unfurl_app.py & unfurl_cli.py).