Identify JWE wih RSA1_5 encryption

[tomato42]

JSON Web Encryption (RFC7516) specifies tokens encrypted with RSAES-PKCS1-v1_5 padding using RSA1_5.

Based on recent results in the Marvin Attack, it's highly unlikely that any API that accepts RSAES-PKCS1-v1_5 encrypted ciphertexts is actually safe against timing variants of the Bleichenbacher attack.

As such, acceptance of such ciphertexts should be recognised as a vulnerability. Use of this algorithm for backwards compatibility is invalid, as the WebCrypto JavaScript API provided by all currently supported browsers supports only OAEP padding (alg id of RSA-OAEP).

Implementations of XMLEnc are also likely vulnerable, but I don't know if it's similarly standardised for use in web APIs as JWE is.

[jeremychoi]

@tomato42 thanks for creating this issue. Just to clarify, are you suggesting we add a test for it?

[tomato42]

are you suggesting we add a test for it?

yes

[jeremychoi]

@tomato42 sounds great. Wondering if you would be able to contribute firsthand? What's needed is, a business logic is implemented with two options: either 1. commit to the upstream ZAP project(adding a scan rule or custom script) then RapiDAST will run it with its ZAP configuration or 2. create your own script file and run it with RapiDAST using the generic scanner configuration. (1) might be beneficial in this case as ZAP can provide you with its API handling mechanism.

[tomato42]

sorry, I definitely won't have time to do that any time soon; I'm still handling the CVEs around Marvin