Open preetkaran20 opened 3 years ago
This seems like a good summary:
A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.
https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3
https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/ -> Attack against JWE
document: https://owasp.slack.com/archives/C0F7D6DFH/p1692972988225639?thread_ts=1692958820.853539&cid=C0F7D6DFH which can help
Content:
there were a couple of talks at OWASP events mentioning JWE, but as it is a pure Encryption standard I do not see much
resources about it in OWASP apart from the general guidelines in safe use in JWT. In terms of vulnerabilities in JWE.
I have found this article in
Auth0 blog talking about a critical vulnerability in JWE: https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/ and a few more
JWE Security Considerations were listed here: https://www.jbspeakr.cc/jwe-token-json-web-encryption/
Is your feature request related to a problem? Please describe.
We have currently only handing JWS but we have not handled JWE so under this enhancement we are looking to add:
Code References Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks Adding Support for parsing JWE: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/ec58672c0951a23cf4544fd0e41b72eb9328a78d/src/main/java/org/zaproxy/zap/extension/jwt/utils/JWTUtils.java#L139 Fuzzer code: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ui/JWTFuzzPanelView.java Scan Rule code: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanRule.java
Testing the changes build the addon by running