Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, and Cryptographic failures vulnerability

[colloceo]

This PR addresses multiple GitHub issues and adds new vulnerability implementations:

Fixed Issues

#434 - Docker: latest tag not defined

• Updated docker-compose.yml to use latest tag for VulnerableApp-base image

#426 - Korean translation to resources

• Added messages_ko.properties with Korean translations for all vulnerability descriptions

#409 - Add 2-3 secured implementations for Reflected XSS

• Added 2 secure variants (LEVEL_4 and LEVEL_5) to XSSWithHtmlTagInjection
• Implemented proper HTML escaping using StringEscapeUtils and HtmlUtils.htmlEscapeHex

#410 - Add 2-3 secured implementations for XXE vulnerability

• Added 1 additional secure implementation (LEVEL_5) to XXEVulnerability
• Now has 3 secure variants total (LEVEL_3, LEVEL_4, LEVEL_5)
• Includes comprehensive XXE protection with secure XML parser configuration

#413 - Adding more vulnerable levels to JWT Vulnerability

• Added 3 new JWT vulnerability levels (LEVEL_14, LEVEL_15, LEVEL_16):
  • LEVEL_14: Very weak key strength vulnerability
  • LEVEL_15: Missing signature verification vulnerability
  • LEVEL_16: Algorithm downgrade vulnerability

#412 - Add a Vulnerability for Cryptographic failures

• Created new CryptographicFailuresVulnerability class with 6 levels:
  • LEVEL_1: MD5 hashing (CWE-327) - Vulnerable
  • LEVEL_2: SHA1 hashing (CWE-327) - Vulnerable
  • LEVEL_3: DES encryption (CWE-330) - Vulnerable
  • LEVEL_4: Plaintext storage (CWE-326) - Vulnerable
  • LEVEL_5: SHA-256 with salt (Secure)
  • LEVEL_6: AES-256 encryption (Secure)
• Added corresponding UI templates (HTML, CSS, JS)
• Added vulnerability types to VulnerabilityType enum

#448 - Expected Issues Locations

• Updated scanner/sast/expectedIssues.csv with new vulnerability locations
• Added entries for new XSS secure variants and Cryptographic failures

Additional Changes

• Updated build.gradle to include commons-codec dependency for cryptographic operations
• Added message properties for all new vulnerability descriptions
• All implementations follow existing code patterns and annotation structure

Testing

• All code compiles successfully
• Follows existing vulnerability implementation patterns
• UI templates created for new Cryptographic failures vulnerability

[preetkaran20]

Thanks for this Big PR @colloceo. I might take soem time reviewing everything. Sorry for the delay.

[preetkaran20]

@colloceo great work by adding the cryptographic failures. However, I am bit confused with the UI and also how can someone exploit these bugs?

Why 2 text boxes and what is the purpose of them? also how can someone exploit these vulnerabilities? I think we can just tell the password and ask user to exploit it like say password is colloceo and let user find out another string which has same hash and that way user can know that it is md5 which is not secure or something like that.

From SAST perspective this is very good but for DAST we need to fix it a bit.

[colloceo]

Regarding the 2 text boxes:
The "Password" field is used for hashing-related levels (LEVEL_1: MD5, LEVEL_2: SHA1, LEVEL_4: Plaintext, LEVEL_5: SHA-256), while the "Data (for encryption)" field is used for encryption-related levels (LEVEL_3: DES, LEVEL_6: AES-256). I agree this is confusing since both fields are always visible regardless of the selected level. I'll fix this by dynamically showing only the relevant input field based on the selected level.

Regarding DAST exploitability:
You're absolutely right. Currently it just demonstrates the algorithm output, which is useful from a SAST/educational perspective but doesn't give the user anything to actually exploit. I'll rework the levels to make them interactive like for example, for the weak hashing levels, the app will store a password using MD5/SHA1 and expose the hash. The user's goal would be to crack the hash (using rainbow tables, online tools, etc.) and submit the original password to "authenticate". This way the user can actually experience why these algorithms are insecure rather than just seeing the output. Similar approach for encryption levels with weak keys. I Will push the updates soon.

Thanks again for the review.

[preetkaran20]

@colloceo great thought. Thanks

[colloceo]

You are welcome, I will keep you posted once I make and push the updates

[preetkaran20]

Great PR @colloceo.

Looks good to me. This is one of the best PR's shared in this repo. Thank you !!!

[colloceo]

Thanks for the review and the kind words, @preetkaran20 Happy to see this merged. It was a great learning experience contributing these new levels.