[Name] - PSJsonWebToken
[Version] - What version of the tool should be added?
Version 1.7.7
[Homepage] - Where can the tool be found online? Where to go to get more information?
https://github.com/anthonyg-1/PSJsonWebToken
https://www.powershellgallery.com/packages/PSJsonWebToken/1.7.7
[Download] - Where to go to get the tool? either a download page or a link to the latest version
Can be installed from the PowerShell Gallery by executing the following command from pwsh:
Install-Module -Name PSJsonWebToken -Repository PSGallery -RequiredVersion 1.7.7
Links:
https://www.powershellgallery.com/packages/PSJsonWebToken/1.7.7
https://github.com/anthonyg-1/PSJsonWebToken
[Author] - Who made the tool?
Anthony Guimelli
https://www.linkedin.com/in/anthony-guimelli-cissp-867b0918a/
[Licence] - How is the software distributed? What conditions does it come with?
The software is distributed via the PowerShell Gallery and/or direct download from the module's github repo. MIT license applies: https://github.com/anthonyg-1/PSJsonWebToken/blob/main/LICENSE
[Description] - What is the tool about? What does it do?
PSJsonWebToken is a PowerShell module that allows for the creation and manipulation of JSON Web Tokens (JWTs), an authentication token defined in RFC 7519, and JSON Web Keys (JWKs), an x509 public key serialized as JSON per RFC 7517. Both JWTs and JWKs are very common in modern web application security due to the prevalence of OpenID Connect. The benefits this module can offer a penetration tester include, but are not limited to:
1) Token manipulation and subsequent submission to an endpoint (via Get-JsonWebTokenPayload which decodes and deserializes a payload for manipulation and ConvertTo-JwtPart which encodes and serializes the manipulated payload)
2) The ability for a tester to craft their own tokens with a custom payload (via New-JwtSignature)
3) Brute-forcing HS256, HS484, and HS512 signed JWTs (via Test-JsonWebToken or Test-JwtSignature)
4) The ability to test an endpoint that accepts JWT vulnerabilities such as the "none" algorithm attack, algorithm substitution attack, CVE-2018-0114 (passing a jku in the header that references the attacker's JWK set URI, etc.).
The modular characteristics of this module make crafting custom attacks against endpoints that accept JWTs quick and efficient. For more please see the “JWT Attacks” section here: https://github.com/anthonyg-1/PSJsonWebToken
[Dependencies] - What is needed for the tool to work?
PowerShell 5.1 or above. Since Kali Linux comes with PowerShell 7.1.3, this will suffice. This module was developed on PowerShell 7.1.0 on Ubuntu 18.04 and tested on Ubuntu 20.04, Kali Linux 2021.1, Windows 10 and MacOS.
[Similar tools] - What other tools are out there?
Burp has a JWT plugin and Python has PyJwt. While there are a few other PowerShell modules for JWTs, none of these have JWK support and several of these don’t work on PowerShell Core (6.0 and above which is required for Linux).
[Activity] - When did the project start? Is is still actively being deployed?
This project started on 11/2021 and is being actively deployed.
[How to install] - How do you compile it? Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.
This is a PowerShell module written in over 99% PowerShell and less than 1% C#. To that end, compilation is not necessary. To obtain and use the module type the following from PowerShell in Kali Linux:
Install-Module -Name PSJsonWebToken -Repository PSGallery -RequiredVersion 1.7.7
[How to use] - What are some basic commands/functions to demonstrate it?
Demonstration of multiple cmdlets can be found in the “JWT Attacks” section here: https://github.com/anthonyg-1/PSJsonWebToken
If needed I can copy them here but the formatting and clarity will be lost compared to what is shown in the above markdown.
[Packaged] - Is the tool already packaged for Debian?
This tool is packaged for any system running PowerShell 5.1 and above. | 
