View Issue Details

IDProjectCategoryView StatusLast Update
0007246Kali Linux[All Projects] New Tool Requestspublic2021-07-08 23:05
Reportertonyg73 Assigned Tog0tmi1k  
Status assignedResolutionopen 
Product Version2021.2 
Target VersionFixed in Version 
Summary0007246: PSJsonWebToken PowerShell module - allows a tester to craft custom attacks against endpoints that accept JWTs for authentication
Description[Name] - PSJsonWebToken

[Version] - What version of the tool should be added?
        Version 1.7.7
[Homepage] - Where can the tool be found online? Where to go to get more information?


[Download] - Where to go to get the tool? either a download page or a link to the latest version

             Can be installed from the PowerShell Gallery by executing the following command from pwsh:

             Install-Module -Name PSJsonWebToken -Repository PSGallery -RequiredVersion 1.7.7


[Author] - Who made the tool?
                   Anthony Guimelli

[Licence] - How is the software distributed? What conditions does it come with?

            The software is distributed via the PowerShell Gallery and/or direct download from the module's github repo. MIT license applies:

[Description] - What is the tool about? What does it do?

                PSJsonWebToken is a PowerShell module that allows for the creation and manipulation of JSON Web Tokens (JWTs), an authentication token defined in RFC 7519, and JSON Web Keys (JWKs), an x509 public key serialized as JSON per RFC 7517. Both JWTs and JWKs are very common in modern web application security due to the prevalence of OpenID Connect. The benefits this module can offer a penetration tester include, but are not limited to:

                1) Token manipulation and subsequent submission to an endpoint (via Get-JsonWebTokenPayload which decodes and deserializes a payload for manipulation and ConvertTo-JwtPart which encodes and serializes the manipulated payload)

                2) The ability for a tester to craft their own tokens with a custom payload (via New-JwtSignature)

                3) Brute-forcing HS256, HS484, and HS512 signed JWTs (via Test-JsonWebToken or Test-JwtSignature)

                4) The ability to test an endpoint that accepts JWT vulnerabilities such as the "none" algorithm attack, algorithm substitution attack, CVE-2018-0114 (passing a jku in the header that references the attacker's JWK set URI, etc.).

The modular characteristics of this module make crafting custom attacks against endpoints that accept JWTs quick and efficient. For more please see the “JWT Attacks” section here:

[Dependencies] - What is needed for the tool to work?

PowerShell 5.1 or above. Since Kali Linux comes with PowerShell 7.1.3, this will suffice. This module was developed on PowerShell 7.1.0 on Ubuntu 18.04 and tested on Ubuntu 20.04, Kali Linux 2021.1, Windows 10 and MacOS.

[Similar tools] - What other tools are out there?

Burp has a JWT plugin and Python has PyJwt. While there are a few other PowerShell modules for JWTs, none of these have JWK support and several of these don’t work on PowerShell Core (6.0 and above which is required for Linux).

[Activity] - When did the project start? Is is still actively being deployed?
                   This project started on 11/2021 and is being actively deployed.

[How to install] - How do you compile it? Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.

This is a PowerShell module written in over 99% PowerShell and less than 1% C#. To that end, compilation is not necessary. To obtain and use the module type the following from PowerShell in Kali Linux:

Install-Module -Name PSJsonWebToken -Repository PSGallery -RequiredVersion 1.7.7

[How to use] - What are some basic commands/functions to demonstrate it?

Demonstration of multiple cmdlets can be found in the “JWT Attacks” section here:

If needed I can copy them here but the formatting and clarity will be lost compared to what is shown in the above markdown.

[Packaged] - Is the tool already packaged for Debian?

This tool is packaged for any system running PowerShell 5.1 and above.
Steps To ReproduceN/A new tool request
Additional InformationI would be happy to discuss/demonstrate use of this module. Please contact me if this is required.



2021-06-30 19:49

reporter   ~0014880

Correction (can't seem to edit):

The Activity section should reflect that the project started on 11/2020, not 2021.

[Activity] - When did the project start? Is is still actively being deployed?
                   This project started on 11/2020 and is being actively deployed.

Issue History

Date Modified Username Field Change
2021-06-30 17:19 tonyg73 New Issue
2021-06-30 19:49 tonyg73 Note Added: 0014880
2021-07-08 23:05 Gamb1t Assigned To => g0tmi1k
2021-07-08 23:05 Gamb1t Status new => assigned