Adding Custom Payload support for weak keys/publicly well known secrets

[preetkaran20]

Is your feature request related to a problem? Please describe.
As Scanners cannot add all the types of payloads into its execution but in case the user wants custom payloads/additional payloads to be included as part of the scanner, we have custom payloads for such requirement.

This is specifically useful for the case, where say a key is stolen or only allowed for test environments but due to some bug they are used to sign the production JWT's, then this can help the organization to validate in pen-tests etc.

This was suggested by @kingthorin . for more information visit: #11 (comment)

Describe the solution you'd like
Add support for custom payloads where users can add the HMAC keys or other keys which are well known and check if their implementation is vulnerable to those payloads.

Code Reference
PR where custom payloads are added: https://github.com/pulls?q=is%3Apr+author%3Akingthorin+archived%3Afalse+custom+payloads+is%3Aclosed

Code where custom payloads/keys can be used in JWT addon: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java#L96

We might need to enhance it in case we want to add the RSA-based keys.

Testing the changes

build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

[kingthorin]

On the topic of public/well-known secrets: https://github.com/BBhacKing/jwt_secrets

The list hasn't been updated in quite a while, but it's a starting point. There's also a list of libraries here: https://jwt.io/libraries which could be reviewed/scrapped for example secrets which may have been re-used.

[preetkaran20]

Hi @kingthorin,

we already have a list of well-known secrets: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/resources/weakKeys/wallarm_jwt_hmac_secrets_list

thanks,
Karan