Adding Custom Payload support for weak keys/publicly well known secrets #15
Description
Is your feature request related to a problem? Please describe.
As Scanners cannot add all the types of payloads into its execution but in case the user wants custom payloads/additional payloads to be included as part of the scanner, we have custom payloads for such requirement.
This is specifically useful for the case, where say a key is stolen or only allowed for test environments but due to some bug they are used to sign the production JWT's, then this can help the organization to validate in pen-tests etc.
This was suggested by @kingthorin . for more information visit: #11 (comment)
Describe the solution you'd like
Add support for custom payloads where users can add the HMAC keys or other keys which are well known and check if their implementation is vulnerable to those payloads.
Code Reference
PR where custom payloads are added: https://github.com/pulls?q=is%3Apr+author%3Akingthorin+archived%3Afalse+custom+payloads+is%3Aclosed
Code where custom payloads/keys can be used in JWT addon: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java#L96
We might need to enhance it in case we want to add the RSA-based keys.
Testing the changes
build the addon by running
- ./gradlew spotlessApply
- ./gradlew build
Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.