Add missing broken crypto algorithms

2026-04-30 03:05:15 +02:00 · 2020-12-16 04:29:23 +00:00
parent 9ff6d68a9b
commit d7facb42d6
4 changed files with 10 additions and 3 deletions
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -12,7 +12,7 @@ data.</p>
 </overview>
 <recommendation>

-<p>Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048.</p>
+<p>Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to reply attacks.</p>

 </recommendation>
 <example>
--- a/java/ql/src/semmle/code/java/security/Encryption.qll
+++ b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -97,7 +97,9 @@ string getAnInsecureAlgorithmName() {
  result = "RC2" or
  result = "RC4" or
  result = "RC5" or
-  result = "ARCFOUR" // a variant of RC4
+  result = "ARCFOUR" or // a variant of RC4
+  result = "ECB" or // encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay attacks
+  result = "AES/CBC/PKCS5Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
 }

 /**
--- a/java/ql/test/library-tests/Encryption/Test.java
+++ b/java/ql/test/library-tests/Encryption/Test.java
@@ -10,7 +10,10 @@ class Test {
 			"des",
 			"des_function",
 			"function_using_des",
-			"EncryptWithDES");
+			"EncryptWithDES",
+			"AES/ECB/NoPadding",
+			"AES/CBC/PKCS5Padding");
+

 	List<String> goodStrings = Arrays.asList(
 			"AES",
--- a/java/ql/test/library-tests/Encryption/insecure.expected
+++ b/java/ql/test/library-tests/Encryption/insecure.expected
@@ -3,3 +3,5 @@
 | Test.java:11:4:11:17 | "des_function" |
 | Test.java:12:4:12:23 | "function_using_des" |
 | Test.java:13:4:13:19 | "EncryptWithDES" |
+| Test.java:14:4:14:22 | "AES/ECB/NoPadding" |
+| Test.java:15:4:15:25 | "AES/CBC/PKCS5Padding" |