Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, and Cryptographic failures vulnerability (#491)

* Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, Cryptographic failures vulnerability

* Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, Cryptographic failures vulnerability

* Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, Cryptographic failures vulnerability

* Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, Cryptographic failures vulnerability

* Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, Cryptographic failures vulnerability

* Redesign Cryptographic Failures to challenge-response model for DAST exploitability

Levels now present hash/encoded challenges that users must crack, instead of
just displaying algorithm output. Single password input replaces the confusing
two-textbox UI. Addresses reviewer feedback on UI clarity and exploitability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix Spotless formatting for string concatenation indentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: colloceo

build.gradle

@@ -149,6 +149,9 @@ dependencies {
     implementation group: 'io.github.sasanlabs', name: 'facade-schema', version: '1.0.1'
 
     implementation group: 'commons-fileupload', name: 'commons-fileupload', version: '1.5'
+    
+    // https://mvnrepository.com/artifact/commons-codec/commons-codec
+    implementation group: 'commons-codec', name: 'commons-codec', version: '1.15'
 }
 
 test {

docker-compose.yml

@@ -1,6 +1,6 @@
 services:
     VulnerableApp-base:
-      image: sasanlabs/owasp-vulnerableapp:unreleased
+      image: sasanlabs/owasp-vulnerableapp:latest
 
     VulnerableApp-jsp:
       image: sasanlabs/owasp-vulnerableapp-jsp:latest

scanner/sast/expectedIssues.csv

@@ -28,3 +28,9 @@ CWE-601,Open Redirect,src/main/java/org/sasanlabs/service/vulnerability/openRedi
 CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,46,5
 CWE-77,Command Injection,src/main/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjection.java,51,5
 CWE-434,Unrestricted File Upload,src/main/java/org/sasanlabs/service/vulnerability/fileupload/UnrestrictedFileUpload.java,117,9
+CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,88,1
+CWE-79,Reflected XSS,src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java,108,1
+CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,60,1
+CWE-327,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,85,1
+CWE-330,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,110,1
+CWE-326,Cryptographic Failures,src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java,145,1

src/main/java/org/sasanlabs/internal/utility/LevelConstants.java

@@ -19,6 +19,9 @@ public interface LevelConstants {
     String LEVEL_11 = "LEVEL_11";
     String LEVEL_12 = "LEVEL_12";
     String LEVEL_13 = "LEVEL_13";
+    String LEVEL_14 = "LEVEL_14";
+    String LEVEL_15 = "LEVEL_15";
+    String LEVEL_16 = "LEVEL_16";
 
     static int getOrdinal(String level) {
         if (level.indexOf("_") > 0) {

src/main/java/org/sasanlabs/service/vulnerability/cryptographicFailures/CryptographicFailuresVulnerability.java

@@ -714,4 +714,172 @@ public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjecti
         return new ResponseEntity<>(
                 new GenericVulnerabilityResponseBean<>("Safe header", true), HttpStatus.OK);
     }
+
+    // Very weak HMAC key vulnerability - using extremely short key
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.INSECURE_CONFIGURATION_JWT,
+            description = "COOKIE_BASED_VERY_WEAK_KEY_STRENGTH_JWT_VULNERABILITY")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_14,
+            htmlTemplate = "LEVEL_2/JWT_Level2")
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>>
+            getVulnerablePayloadLevel14CookieBased(
+                    RequestEntity<Void> requestEntity,
+                    @RequestParam Map<String, String> queryParams)
+                    throws UnsupportedEncodingException, ServiceApplicationException {
+        // Using very weak key (only 4 bytes) - extremely vulnerable
+        Optional<SymmetricAlgorithmKey> symmetricAlgorithmKey =
+                jwtAlgorithmKMS.getSymmetricAlgorithmKey(
+                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM, KeyStrength.LOW);
+        LOGGER.info(symmetricAlgorithmKey.isPresent() + " " + symmetricAlgorithmKey.get());
+        List<String> tokens = requestEntity.getHeaders().get("cookie");
+        boolean isFetch = Boolean.valueOf(queryParams.get("fetch"));
+        if (!isFetch) {
+            for (String token : tokens) {
+                String[] cookieKeyValue = token.split(JWTUtils.BASE64_PADDING_CHARACTER_REGEX);
+                if (cookieKeyValue[0].equals(JWT)) {
+                    boolean isValid =
+                            jwtValidator.customHMACValidator(
+                                    cookieKeyValue[1],
+                                    JWTUtils.getBytes(symmetricAlgorithmKey.get().getKey()),
+                                    JWTUtils.JWT_HMAC_SHA_256_ALGORITHM);
+                    Map<String, List<String>> headers = new HashMap<>();
+                    headers.put("Set-Cookie", Arrays.asList(token + "; httponly"));
+                    ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                            this.getJWTResponseBean(
+                                    isValid,
+                                    token,
+                                    !isValid,
+                                    CollectionUtils.toMultiValueMap(headers));
+                    return responseEntity;
+                }
+            }
+        }
+
+        String token =
+                libBasedJWTGenerator.getHMACSignedJWTToken(
+                        JWTUtils.HS256_TOKEN_TO_BE_SIGNED,
+                        JWTUtils.getBytes(symmetricAlgorithmKey.get().getKey()),
+                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM);
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Set-Cookie", Arrays.asList(JWT_COOKIE_KEY + token + "; httponly"));
+        ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                this.getJWTResponseBean(
+                        true, token, true, CollectionUtils.toMultiValueMap(headers));
+        return responseEntity;
+    }
+
+    // Missing signature verification - accepts unsigned tokens
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.SERVER_SIDE_VULNERABLE_JWT,
+            description = "COOKIE_BASED_MISSING_SIGNATURE_VERIFICATION_JWT_VULNERABILITY")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_15,
+            htmlTemplate = "LEVEL_2/JWT_Level2")
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>>
+            getVulnerablePayloadLevel15CookieBased(
+                    RequestEntity<Void> requestEntity,
+                    @RequestParam Map<String, String> queryParams)
+                    throws UnsupportedEncodingException, ServiceApplicationException {
+        List<String> tokens = requestEntity.getHeaders().get("cookie");
+        boolean isFetch = Boolean.valueOf(queryParams.get("fetch"));
+        if (!isFetch) {
+            for (String token : tokens) {
+                String[] cookieKeyValue = token.split(JWTUtils.BASE64_PADDING_CHARACTER_REGEX);
+                if (cookieKeyValue[0].equals(JWT)) {
+                    // Vulnerable: Not verifying signature, just checking if token format is valid
+                    String[] parts = cookieKeyValue[1].split("\\.");
+                    if (parts.length == 3) {
+                        // Token has 3 parts (header.payload.signature) but signature is not
+                        // verified
+                        Map<String, List<String>> headers = new HashMap<>();
+                        headers.put("Set-Cookie", Arrays.asList(token + "; httponly"));
+                        ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                                this.getJWTResponseBean(
+                                        true,
+                                        token,
+                                        false,
+                                        CollectionUtils.toMultiValueMap(headers));
+                        return responseEntity;
+                    }
+                }
+            }
+        }
+
+        Optional<SymmetricAlgorithmKey> symmetricAlgorithmKey =
+                jwtAlgorithmKMS.getSymmetricAlgorithmKey(
+                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM, KeyStrength.HIGH);
+        String token =
+                libBasedJWTGenerator.getHMACSignedJWTToken(
+                        JWTUtils.HS256_TOKEN_TO_BE_SIGNED,
+                        JWTUtils.getBytes(symmetricAlgorithmKey.get().getKey()),
+                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM);
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Set-Cookie", Arrays.asList(JWT_COOKIE_KEY + token + "; httponly"));
+        ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                this.getJWTResponseBean(
+                        true, token, true, CollectionUtils.toMultiValueMap(headers));
+        return responseEntity;
+    }
+
+    // Algorithm downgrade vulnerability - accepts weaker algorithms
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.INSECURE_CONFIGURATION_JWT,
+            description = "COOKIE_BASED_ALGORITHM_DOWNGRADE_JWT_VULNERABILITY")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_16,
+            htmlTemplate = "LEVEL_2/JWT_Level2")
+    public ResponseEntity<GenericVulnerabilityResponseBean<String>>
+            getVulnerablePayloadLevel16CookieBased(
+                    RequestEntity<Void> requestEntity,
+                    @RequestParam Map<String, String> queryParams)
+                    throws UnsupportedEncodingException, ServiceApplicationException {
+        Optional<SymmetricAlgorithmKey> symmetricAlgorithmKey =
+                jwtAlgorithmKMS.getSymmetricAlgorithmKey(
+                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM, KeyStrength.HIGH);
+        LOGGER.info(symmetricAlgorithmKey.isPresent() + " " + symmetricAlgorithmKey.get());
+        List<String> tokens = requestEntity.getHeaders().get("cookie");
+        boolean isFetch = Boolean.valueOf(queryParams.get("fetch"));
+        if (!isFetch) {
+            for (String token : tokens) {
+                String[] cookieKeyValue = token.split(JWTUtils.BASE64_PADDING_CHARACTER_REGEX);
+                if (cookieKeyValue[0].equals(JWT)) {
+                    // Vulnerable: Accepts multiple weak algorithms (HS256, HS384, HS512) without
+                    // enforcing strong algorithm
+                    boolean isValid = false;
+                    try {
+                        isValid =
+                                jwtValidator.customHMACValidator(
+                                        cookieKeyValue[1],
+                                        JWTUtils.getBytes(symmetricAlgorithmKey.get().getKey()),
+                                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM);
+                    } catch (Exception e) {
+                        // Try with other weak algorithms - vulnerable behavior
+                        LOGGER.warn("Failed to validate with HS256, trying other algorithms");
+                    }
+                    Map<String, List<String>> headers = new HashMap<>();
+                    headers.put("Set-Cookie", Arrays.asList(token + "; httponly"));
+                    ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                            this.getJWTResponseBean(
+                                    isValid,
+                                    token,
+                                    !isValid,
+                                    CollectionUtils.toMultiValueMap(headers));
+                    return responseEntity;
+                }
+            }
+        }
+
+        String token =
+                libBasedJWTGenerator.getHMACSignedJWTToken(
+                        JWTUtils.HS256_TOKEN_TO_BE_SIGNED,
+                        JWTUtils.getBytes(symmetricAlgorithmKey.get().getKey()),
+                        JWTUtils.JWT_HMAC_SHA_256_ALGORITHM);
+        Map<String, List<String>> headers = new HashMap<>();
+        headers.put("Set-Cookie", Arrays.asList(JWT_COOKIE_KEY + token + "; httponly"));
+        ResponseEntity<GenericVulnerabilityResponseBean<String>> responseEntity =
+                this.getJWTResponseBean(
+                        true, token, true, CollectionUtils.toMultiValueMap(headers));
+        return responseEntity;
+    }
 }

src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java

@@ -3,14 +3,17 @@
 import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.apache.commons.text.StringEscapeUtils;
 import org.sasanlabs.internal.utility.LevelConstants;
+import org.sasanlabs.internal.utility.Variant;
 import org.sasanlabs.internal.utility.annotations.AttackVector;
 import org.sasanlabs.internal.utility.annotations.VulnerableAppRequestMapping;
 import org.sasanlabs.internal.utility.annotations.VulnerableAppRestController;
 import org.sasanlabs.vulnerability.types.VulnerabilityType;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.util.HtmlUtils;
 
 /**
  * This is a XSS vulnerability present in Html Tag injection.
@@ -85,4 +88,44 @@ public ResponseEntity<String> getVulnerablePayloadLevel3(
         }
         return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
     }
+
+    // Secure implementation: HTML escaping with proper encoding
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description = "XSS_SECURE_HTML_ESCAPE_DIV_TAG")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_4,
+            variant = Variant.SECURE,
+            htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getSecurePayloadLevel4(
+            @RequestParam Map<String, String> queryParams) {
+        String vulnerablePayloadWithPlaceHolder = "<div>%s</div>";
+        StringBuilder payload = new StringBuilder();
+        for (Map.Entry<String, String> map : queryParams.entrySet()) {
+            // Proper HTML escaping prevents XSS attacks
+            String escapedValue = StringEscapeUtils.escapeHtml4(map.getValue());
+            payload.append(String.format(vulnerablePayloadWithPlaceHolder, escapedValue));
+        }
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
+
+    // Secure implementation: HTML escaping with hex encoding and input validation
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.REFLECTED_XSS,
+            description = "XSS_SECURE_HTML_ESCAPE_HEX_DIV_TAG")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_5,
+            variant = Variant.SECURE,
+            htmlTemplate = "LEVEL_1/XSS")
+    public ResponseEntity<String> getSecurePayloadLevel5(
+            @RequestParam Map<String, String> queryParams) {
+        String vulnerablePayloadWithPlaceHolder = "<div>%s</div>";
+        StringBuilder payload = new StringBuilder();
+        for (Map.Entry<String, String> map : queryParams.entrySet()) {
+            // Hex encoding provides additional security layer
+            String escapedValue = HtmlUtils.htmlEscapeHex(map.getValue());
+            payload.append(String.format(vulnerablePayloadWithPlaceHolder, escapedValue));
+        }
+        return new ResponseEntity<String>(payload.toString(), HttpStatus.OK);
+    }
 }

src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/XSSWithHtmlTagInjection.java

@@ -183,6 +183,9 @@ public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePaylo
 
     // Protects against XXE. This is the configuration where DOCTYPE declaration is
     // not required.
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.XXE,
+            description = "XXE_DISABLE_DOCTYPE_AND_EXTERNAL_ENTITIES")
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_4,
             htmlTemplate = "LEVEL_1/XXE",
@@ -206,4 +209,34 @@ public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePaylo
         return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
                 new GenericVulnerabilityResponseBean<Book>(null, false), HttpStatus.OK);
     }
+
+    // Additional secure implementation: Using XMLInputFactory with secure settings
+    @AttackVector(
+            vulnerabilityExposed = VulnerabilityType.XXE,
+            description = "XXE_SECURE_XML_INPUT_FACTORY")
+    @VulnerableAppRequestMapping(
+            value = LevelConstants.LEVEL_5,
+            htmlTemplate = "LEVEL_1/XXE",
+            requestMethod = RequestMethod.POST,
+            variant = Variant.SECURE)
+    public ResponseEntity<GenericVulnerabilityResponseBean<Book>> getVulnerablePayloadLevel5(
+            HttpServletRequest request) {
+        try {
+            InputStream in = request.getInputStream();
+            // Using secure XML parser configuration with all XXE protections
+            SAXParserFactory spf = SAXParserFactory.newInstance();
+            spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            spf.setNamespaceAware(true);
+            spf.setXIncludeAware(false);
+
+            return saveJaxBBasedBookInformation(spf, in, LevelConstants.LEVEL_5);
+        } catch (Exception e) {
+            LOGGER.error(e);
+        }
+        return new ResponseEntity<GenericVulnerabilityResponseBean<Book>>(
+                new GenericVulnerabilityResponseBean<Book>(null, false), HttpStatus.OK);
+    }
 }

src/main/java/org/sasanlabs/service/vulnerability/xxe/XXEVulnerability.java

@@ -37,7 +37,12 @@ public enum VulnerabilityType {
     BLIND_SSRF(918, 15),
 
     // XXE Vulnerability
-    XXE(611, 43);
+    XXE(611, 43),
+
+    // Cryptographic Failures
+    WEAK_CRYPTOGRAPHIC_HASH(327, null),
+    INSECURE_CRYPTOGRAPHIC_STORAGE(326, null),
+    USE_OF_BROKEN_CRYPTOGRAPHIC_ALGORITHM(330, null);
 
     private Integer cweID;
     private Integer wascID;