Adding Custom Payload support for weak keys/publicly well known secrets

[preetkaran20]

Is your feature request related to a problem? Please describe. As Scanners cannot add all the types of payloads into its execution but in case the user wants custom payloads/additional payloads to be included as part of the scanner, we have custom payloads for such requirement.

This is specifically useful for the case, where say a key is stolen or only allowed for test environments but due to some bug they are used to sign the production JWT's, then this can help the organization to validate in pen-tests etc.

This was suggested by @kingthorin . for more information visit: https://github.com/SasanLabs/owasp-zap-jwt-addon/pull/11#issuecomment-723442586

Describe the solution you'd like Add support for custom payloads where users can add the HMAC keys or other keys which are well known and check if their implementation is vulnerable to those payloads.

Code Reference PR where custom payloads are added: https://github.com/pulls?q=is%3Apr+author%3Akingthorin+archived%3Afalse+custom+payloads+is%3Aclosed

Code where custom payloads/keys can be used in JWT addon: https://github.com/SasanLabs/owasp-zap-jwt-addon/blob/master/src/main/java/org/zaproxy/zap/extension/jwt/attacks/SignatureAttack.java#L96

We might need to enhance it in case we want to add the RSA-based keys.

Testing the changes

build the addon by running

1. ./gradlew spotlessApply
2. ./gradlew build Then go to the ZAP -> File -> Local addon file -> Navigate to project -> build -> bin -> jwt*.zap and done.