View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0007246 | Kali Linux | [All Projects] Queued Tool Addition | public | 2021-06-30 17:19 | 2023-02-20 08:59 |
Reporter | tonyg73 | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | acknowledged | Resolution | open | ||
Product Version | 2021.2 | ||||
Target Version | Fixed in Version | ||||
Summary | 0007246: PSJsonWebToken PowerShell module - allows a tester to craft custom attacks against endpoints that accept JWTs for authentication | ||||
Description | [Name] - PSJsonWebToken [Version] - What version of the tool should be added? Version 1.7.7 [Homepage] - Where can the tool be found online? Where to go to get more information? https://github.com/anthonyg-1/PSJsonWebToken https://www.powershellgallery.com/packages/PSJsonWebToken/1.7.7 [Download] - Where to go to get the tool? either a download page or a link to the latest version Can be installed from the PowerShell Gallery by executing the following command from pwsh: Install-Module -Name PSJsonWebToken -Repository PSGallery -RequiredVersion 1.7.7 Links: https://www.powershellgallery.com/packages/PSJsonWebToken/1.7.7 https://github.com/anthonyg-1/PSJsonWebToken [Author] - Who made the tool? Anthony Guimelli https://www.linkedin.com/in/anthony-guimelli-cissp-867b0918a/ [Licence] - How is the software distributed? What conditions does it come with? The software is distributed via the PowerShell Gallery and/or direct download from the module's github repo. MIT license applies: https://github.com/anthonyg-1/PSJsonWebToken/blob/main/LICENSE [Description] - What is the tool about? What does it do? PSJsonWebToken is a PowerShell module that allows for the creation and manipulation of JSON Web Tokens (JWTs), an authentication token defined in RFC 7519, and JSON Web Keys (JWKs), an x509 public key serialized as JSON per RFC 7517. Both JWTs and JWKs are very common in modern web application security due to the prevalence of OpenID Connect. The benefits this module can offer a penetration tester include, but are not limited to: 1) Token manipulation and subsequent submission to an endpoint (via Get-JsonWebTokenPayload which decodes and deserializes a payload for manipulation and ConvertTo-JwtPart which encodes and serializes the manipulated payload) 2) The ability for a tester to craft their own tokens with a custom payload (via New-JwtSignature) 3) Brute-forcing HS256, HS484, and HS512 signed JWTs (via Test-JsonWebToken or Test-JwtSignature) 4) The ability to test an endpoint that accepts JWT vulnerabilities such as the "none" algorithm attack, algorithm substitution attack, CVE-2018-0114 (passing a jku in the header that references the attacker's JWK set URI, etc.). The modular characteristics of this module make crafting custom attacks against endpoints that accept JWTs quick and efficient. For more please see the “JWT Attacks” section here: https://github.com/anthonyg-1/PSJsonWebToken [Dependencies] - What is needed for the tool to work? PowerShell 5.1 or above. Since Kali Linux comes with PowerShell 7.1.3, this will suffice. This module was developed on PowerShell 7.1.0 on Ubuntu 18.04 and tested on Ubuntu 20.04, Kali Linux 2021.1, Windows 10 and MacOS. [Similar tools] - What other tools are out there? Burp has a JWT plugin and Python has PyJwt. While there are a few other PowerShell modules for JWTs, none of these have JWK support and several of these don’t work on PowerShell Core (6.0 and above which is required for Linux). [Activity] - When did the project start? Is is still actively being deployed? This project started on 11/2021 and is being actively deployed. [How to install] - How do you compile it? Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version. This is a PowerShell module written in over 99% PowerShell and less than 1% C#. To that end, compilation is not necessary. To obtain and use the module type the following from PowerShell in Kali Linux: Install-Module -Name PSJsonWebToken -Repository PSGallery -RequiredVersion 1.7.7 [How to use] - What are some basic commands/functions to demonstrate it? Demonstration of multiple cmdlets can be found in the “JWT Attacks” section here: https://github.com/anthonyg-1/PSJsonWebToken If needed I can copy them here but the formatting and clarity will be lost compared to what is shown in the above markdown. [Packaged] - Is the tool already packaged for Debian? This tool is packaged for any system running PowerShell 5.1 and above. | ||||
Steps To Reproduce | N/A new tool request | ||||
Additional Information | I would be happy to discuss/demonstrate use of this module. Please contact me if this is required. | ||||
|
Correction (can't seem to edit): The Activity section should reflect that the project started on 11/2020, not 2021. [Activity] - When did the project start? Is is still actively being deployed? This project started on 11/2020 and is being actively deployed. |
|
Latest release version is 1.7.10 and contains some quality of life improvements (default parameters, options for JWK generation, etc). Latest can be downloaded here: https://www.powershellgallery.com/packages/PSJsonWebToken/1.7.10 More info: https://github.com/anthonyg-1/PSJsonWebToken |
|
@kali-team, please could this be packaged up. @author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging |
|
@g0tmi1k does this mean these modules are slated to be included in Kali? I can take a look at the packaging process if that's the case. Would it be the same process for PowerShell modules even if they're accessible from the PowerShell Gallery? Sorry for the delay, been absolutely slammed with work. |
|
Estoy ansioso por trabajar con cada uno de los programas me gusta la tecologia |
Date Modified | Username | Field | Change |
---|---|---|---|
2021-06-30 17:19 | tonyg73 | New Issue | |
2021-06-30 19:49 | tonyg73 | Note Added: 0014880 | |
2021-07-08 23:05 | Gamb1t | Assigned To | => g0tmi1k |
2021-07-08 23:05 | Gamb1t | Status | new => assigned |
2021-08-03 11:21 | g0tmi1k | Assigned To | g0tmi1k => |
2021-08-03 11:22 | g0tmi1k | Status | assigned => new |
2021-08-24 15:24 | tonyg73 | Note Added: 0015024 | |
2021-08-31 10:06 | g0tmi1k | Note Added: 0015056 | |
2021-08-31 10:06 | g0tmi1k | Status | new => acknowledged |
2021-08-31 10:06 | g0tmi1k | Category | New Tool Requests => Queued Tool Addition |
2021-10-05 01:50 | tonyg73 | Note Added: 0015261 | |
2023-02-20 08:59 | Kenneths28 | Note Added: 0017539 |