kingthorin
commented
2 years ago On the topic of public/well-known secrets: https://github.com/BBhacKing/jwt_secrets
The list hasn't been updated in quite a while, but it's a starting point. There's also a list of libraries here: https://jwt.io/libraries which could be reviewed/scrapped for example secrets which may have been re-used.
preetkaran20
Is your feature request related to a problem? Please describe. As Scanners cannot add all the types of payloads into its execution but in case the user wants custom payloads/additional payloads to be included as part of the scanner, we have custom payloads for such requirement.
This is specifically useful for the case, where say a key is stolen or only allowed for test environments but due to some bug they are used to sign the production JWT's, then this can help the organization to validate in pen-tests etc.
This was suggested by @kingthorin . for more information visit: https://github.com/SasanLabs/owasp-zap-jwt-addon/pull/11#issuecomment-723442586
Describe the solution you'd like Add support for custom payloads where users can add the HMAC keys or other keys which are well known and check if their implementation is vulnerable to those payloads.
Code Reference PR where custom payloads are added: https://github.com/pulls?q=is%3Apr+author%3Akingthorin+archived%3Afalse+custom+payloads+is%3Aclosed
Code where custom payloads/keys can be used in JWT addon: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java#L96
We might need to enhance it in case we want to add the RSA-based keys.
Testing the changes
build the addon by running