Incorporating review comments

Author: preetkaran20

CHANGELOG.md

@@ -3,8 +3,13 @@ All notable changes to this add-on will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## Unreleased
+
+### Added
+ - Support for validating usage of publicly well known HMac secrets for signing JWT.
+
 ## [1.0.0] - 2020-09-03
 
  - First version of JWT Support.
    - Contains scanning rules for basic JWT related vulnerabilities.
-   - Contains JWT Fuzzer for fuzzing the JWT's present in the request.
+   - Contains JWT Fuzzer for fuzzing the JWT's present in the request.

src/main/resources/org/zaproxy/zap/extension/jwt/resources/Messages.properties

@@ -84,10 +84,11 @@ jwt.scanner.server.vulnerability.signatureAttack.jwkCustomKey.desc=JWT library i
 jwt.scanner.server.vulnerability.signatureAttack.jwkCustomKey.refs=https://nvd.nist.gov/vuln/detail/CVE-2018-0114
 jwt.scanner.server.vulnerability.signatureAttack.jwkCustomKey.soln=Validating Library should not depend on user provided input
 
-jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.name=Publicly well known HMac secret attack
-jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.desc=JWT tokens signed using HMac algorithm requires secret key and there are publicly well known secret keys which should not be used for signing the JWT token as it can cause various attacks like identity theft, user impersonation etc. 
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.name=Publicly Well Known HMac Secret Attack
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.desc=JSON web tokens signed using HMac algorithm requires secret key and there are publicly well known secret keys which should not be used for signing the JSON web token as it can cause various attacks like identity theft, user impersonation etc. 
 jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.refs=https://lab.wallarm.com/340-weak-jwt-secrets-you-should-check-in-your-code
 jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.soln=Secret keys used for signing should not be publicly well known or easy to guess. 
+jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.param=JWT: \"{0}\" is signed by: \"{1}\"
 
 jwt.scanner.server.vulnerability.payloadAttack.nullByte.name=Null Byte Injection Attack
 jwt.scanner.server.vulnerability.payloadAttack.nullByte.desc=Payload bytes after null byte are ignored ie not included in validation of JWT hence JWT validator is vulnerable to null byte injection
@@ -101,6 +102,4 @@ jwt.scanner.server.vulnerability.miscAttack.emptyTokens.soln=Tokens even if empt
 
 # JWT scanner references and solutions
 jwt.scanner.refs=https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html
-jwt.scanner.soln=See reference for further information. The solution depends on implementation details
-
-jwt.scanner.server.vulnerability.signatureAttack.publiclyKnownSecrets.param=JWT: {0} is signed by: \"{1}\"
+jwt.scanner.soln=See reference for further information. The solution depends on implementation details