Adding Attack vector for finding vulnerabilities related to JWE

[preetkaran20]

Is your feature request related to a problem? Please describe.

We have currently only handing JWS but we have not handled JWE so under this enhancement we are looking to add:

1. Analysing Vulnerabilities related to JWE by going through various blogs, bug bounties, other scanner add-on's
2. Implement the Attack vectors
3. Adding the Vulnerable code in https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java so that we can test the attack vectors.
4. Add a design document regarding the same.

Code References
Attack vectors: https://github.com/SasanLabs/owasp-zap-jwt-addon/tree/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks
Adding Support for parsing JWE:

owasp-zap-jwt-addon/src/main/java/org/zaproxy/zap/extension/jwt/utils/JWTUtils.java

Line 139 in ec58672

public static boolean isTokenValid(String jwtToken) {

Fuzzer code: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/fuzzer/ui/JWTFuzzPanelView.java
Scan Rule code: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/JWTActiveScanRule.java

Testing the changes
build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build
   Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.

[kingthorin]

This seems like a good summary:

A signed JWT is known as a JWS (JSON Web Signature). In fact a JWT does not exist itself — either it has to be a JWS or a JWE (JSON Web Encryption). Its like an abstract class — the JWS and JWE are the concrete implementations.

https://medium.facilelogin.com/jwt-jws-and-jwe-for-not-so-dummies-b63310d201a3

[preetkaran20]

https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/ -> Attack against JWE

[preetkaran20]

document: https://owasp.slack.com/archives/C0F7D6DFH/p1692972988225639?thread_ts=1692958820.853539&cid=C0F7D6DFH which can help

Content:

there were a couple of talks at OWASP events mentioning JWE, but as it is a pure Encryption standard I do not see much
resources about it in OWASP apart from the general guidelines in safe use in JWT. In terms of vulnerabilities in JWE.
I have found this article in
 Auth0 blog talking about a critical vulnerability in JWE: https://auth0.com/blog/critical-vulnerability-in-json-web-encryption/  and a  few more  
JWE Security Considerations were listed here: https://www.jbspeakr.cc/jwe-token-json-web-encryption/