fix: Maintain implementation so as not to be dependent on external de…

…pendency and update messages

src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java

@@ -3,11 +3,11 @@
 import static org.sasanlabs.service.vulnerability.jwt.bean.JWTUtils.GENERIC_BASE64_ENCODED_PAYLOAD;
 
 import com.auth0.jwt.JWT;
-import com.auth0.jwt.algorithms.Algorithm;
-import com.auth0.jwt.interfaces.DecodedJWT;
-import com.auth0.jwt.interfaces.JWTVerifier;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.SignedJWT;
 import java.io.UnsupportedEncodingException;
 import java.security.KeyPair;
 import java.security.interfaces.RSAPrivateKey;
@@ -672,39 +672,38 @@ private ResponseEntity<GenericVulnerabilityResponseBean<String>> getJWTResponseB
 
     @AttackVector(
             vulnerabilityExposed = VulnerabilityType.HEADER_INJECTION,
-            description = "HEADER_INJECTION_VULNERABILITY_EXAMPLE")
+            description = "HEADER_INJECTION_VULNERABILITY")
     @VulnerableAppRequestMapping(
             value = LevelConstants.LEVEL_13,
             htmlTemplate = "LEVEL_13/HeaderInjection_Level13")
     public ResponseEntity<GenericVulnerabilityResponseBean<String>> getHeaderInjectionVulnerability(
             HttpServletRequest request) {
         String jwtToken = request.getHeader("Authorization");
-        if (jwtToken == null || !jwtToken.startsWith("Bearer ")) {
+        if (jwtToken == null || !jwtToken.startsWith(JWTUtils.BEARER_PREFIX)) {
             return new ResponseEntity<>(
                     new GenericVulnerabilityResponseBean<>("No JWT token provided", true),
                     HttpStatus.BAD_REQUEST);
         }
 
-        jwtToken = jwtToken.substring(7); // Remove "Bearer " prefix
+        jwtToken = jwtToken.replaceFirst("^" + JWTUtils.BEARER_PREFIX, "").trim();
 
         try {
-            DecodedJWT decodedJWT = com.auth0.jwt.JWT.decode(jwtToken);
-            String jwkHeader = decodedJWT.getHeaderClaim("jwk").asString();
+            SignedJWT signedJWT = SignedJWT.parse(jwtToken);
+
+            String jwkHeader = (String) signedJWT.getHeader().toJSONObject().get("jwk");
 
             if (jwkHeader != null) {
                 JWK jwk = JWK.parse(jwkHeader);
-
                 RSAKey rsaKey = (RSAKey) jwk;
                 RSAPublicKey publicKey = rsaKey.toRSAPublicKey();
 
-                Algorithm algorithm = Algorithm.RSA256(publicKey, null);
-                JWTVerifier verifier = com.auth0.jwt.JWT.require(algorithm).build();
-                verifier.verify(jwtToken);
-
-                return new ResponseEntity<>(
-                        new GenericVulnerabilityResponseBean<>(
-                                "JWK Header Injection Exploited!", false),
-                        HttpStatus.OK);
+                JWSVerifier verifier = new RSASSAVerifier(publicKey);
+                if (signedJWT.verify(verifier)) {
+                    return new ResponseEntity<>(
+                            new GenericVulnerabilityResponseBean<>(
+                                    "JWK Header Injection Exploited!", false),
+                            HttpStatus.OK);
+                }
             }
 
         } catch (Exception e) {

src/main/java/org/sasanlabs/service/vulnerability/jwt/bean/JWTUtils.java

@@ -37,6 +37,7 @@ public class JWTUtils {
     public static final String JWT_EC_ALGORITHM_IDENTIFIER = "EC";
     public static final String JWT_OCTET_ALGORITHM_IDENTIFIER = "ED";
     public static final String JWT_HMAC_SHA_256_ALGORITHM = "HS256";
+    public static final String BEARER_PREFIX = "Bearer ";
     // TODO need to make it better.
     public static final String HS256_TOKEN_TO_BE_SIGNED =
             "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."

src/main/resources/i18n/messages_en_US.properties

@@ -288,4 +288,4 @@ SSRF_VULNERABILITY_URL_IF_NOT_FILE_PROTOCOL_AND_INTERNAL_METADATA_URL=file:// pr
 SSRF_VULNERABILITY_URL_ONLY_IF_IN_THE_WHITELIST=Only Whitelisted URL is allowed.
 
 # JWT Injection Header
-HEADER_INJECTION_VULNERABILITY_EXAMPLE=Header Injection Vulnerability Example
+HEADER_INJECTION_VULNERABILITY=It tests how a JWT header can be manipulated to alter the signature verification.

src/main/resources/i18n/messages_es.properties

@@ -229,7 +229,7 @@ COOKIE_BASED_FOR_JWK_HEADER_BASED_JWT_VULNERABILITY=Validador de token JWT basad
 COOKIE_BASED_EMPTY_TOKEN_JWT_VULNERABILITY=Token JWT basado en cookies, vulnerable por el ataque de token vacío.
 
 # JWT Injection Header
-HEADER_INJECTION_VULNERABILITY_EXAMPLE=Ejemplo de vulnerabilidad de inyección de encabezado
+HEADER_INJECTION_VULNERABILITY=Prueba cómo un encabezado JWT puede ser manipulado para alterar la verificación de la firma.
 
 
 # SQL Injection Vulnerability