[MASWE-0020] Weak Encryption (by @appknox)

demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MASTG-DEMO-0022.md

@@ -0,0 +1,31 @@
+---
+platform: android
+title: Uses of Insecure Encryption Algorithms in Cipher with semgrep
+id: MASTG-DEMO-0022
+code: [java]
+---
+
+### Sample
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the sample code.
+
+{{ ../../../../rules/mastg-android-weak-encryption.yaml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified five instances in the code file where an insecure encryption is used. The specified line numbers can be located in the original code for further investigation and remediation.
+
+{{ output.txt }}
+
+### Evaluation
+
+The reported instances include:
+
+- Line 36 utilize insecure DES algorithm.
+- Line 59 utilize insecure 3DES algorithm.

demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MastgTest.java

@@ -0,0 +1,77 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.util.Base64;
+import java.security.Key;
+import javax.crypto.Cipher;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.DESKeySpec;
+import javax.crypto.spec.DESedeKeySpec;
+import kotlin.Metadata;
+import kotlin.jvm.internal.Intrinsics;
+import kotlin.text.Charsets;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u001a\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0004\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006J\u000e\u0010\u0007\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\t\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\n"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "vulnerable3DesEncryption", "data", "vulnerableDesEncryption", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+/* loaded from: classes4.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String vulnerableDesEncryption(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] bytes = "12345678".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            DESKeySpec keySpec = new DESKeySpec(bytes);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
+            Key generateSecret = keyFactory.generateSecret(keySpec);
+            Intrinsics.checkNotNullExpressionValue(generateSecret, "generateSecret(...)");
+            Key secretKey = generateSecret;
+            Cipher cipher = Cipher.getInstance("DES");
+            cipher.init(1, secretKey);
+            byte[] bytes2 = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes2);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String vulnerable3DesEncryption(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] bytes = "123456789012345678901234".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            DESedeKeySpec keySpec = new DESedeKeySpec(bytes);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
+            Key generateSecret = keyFactory.generateSecret(keySpec);
+            Intrinsics.checkNotNullExpressionValue(generateSecret, "generateSecret(...)");
+            Key secretKey = generateSecret;
+            Cipher cipher = Cipher.getInstance("DESede");
+            cipher.init(1, secretKey);
+            byte[] bytes2 = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes2);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String mastgTest() {
+        String desEncryptedString = vulnerableDesEncryption("Hello from the OWASP MASTG Test app.");
+        String tripleDesEncryptedString = vulnerable3DesEncryption("Hello from the OWASP MASTG Test app.");
+        return "DES Encrypted: " + desEncryptedString + "\n3DES Encrypted: " + tripleDesEncryptedString;
+    }
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MastgTest.kt

@@ -0,0 +1,65 @@
+package org.owasp.mastestapp
+
+import android.content.Context
+import java.security.Key
+import javax.crypto.Cipher
+import javax.crypto.SecretKeyFactory
+import javax.crypto.spec.DESKeySpec
+import javax.crypto.spec.DESedeKeySpec
+import javax.crypto.spec.SecretKeySpec
+import android.util.Base64
+
+class MastgTest(private val context: Context) {
+
+    // Vulnerable encryption using DES (weak algorithm)
+    fun vulnerableDesEncryption(data: String): String {
+        try {
+            // Weak key for DES
+            val keySpec = DESKeySpec("12345678".toByteArray())
+            val keyFactory = SecretKeyFactory.getInstance("DES")
+            val secretKey: Key = keyFactory.generateSecret(keySpec)
+
+            // Weak encryption algorithm (DES) and weak mode (ECB)
+            val cipher = Cipher.getInstance("DES")
+            cipher.init(Cipher.ENCRYPT_MODE, secretKey)
+
+            val encryptedData = cipher.doFinal(data.toByteArray())
+            return Base64.encodeToString(encryptedData, Base64.DEFAULT)
+        } catch (e: Exception) {
+            return "Encryption error: ${e.message}"
+        }
+    }
+
+
+    // Vulnerable encryption using 3DES (Triple DES)
+    fun vulnerable3DesEncryption(data: String): String {
+        try {
+            // Weak key for 3DES (24-byte key)
+            val keySpec = DESedeKeySpec("123456789012345678901234".toByteArray()) // 24 bytes key
+            val keyFactory = SecretKeyFactory.getInstance("DESede")
+            val secretKey: Key = keyFactory.generateSecret(keySpec)
+
+            // Weak encryption algorithm (3DES)
+            val cipher = Cipher.getInstance("DESede")
+            cipher.init(Cipher.ENCRYPT_MODE, secretKey)
+
+            val encryptedData = cipher.doFinal(data.toByteArray())
+            return Base64.encodeToString(encryptedData, Base64.DEFAULT)
+        } catch (e: Exception) {
+            return "Encryption error: ${e.message}"
+        }
+    }
+
+    fun mastgTest(): String {
+        val sensitiveString = "Hello from the OWASP MASTG Test app."
+
+        // Encrypt with weak DES
+        val desEncryptedString = vulnerableDesEncryption(sensitiveString)
+
+        // Encrypt with weak 3DES
+        val tripleDesEncryptedString = vulnerable3DesEncryption(sensitiveString)
+
+        // Returning the encrypted results
+        return "DES Encrypted: $desEncryptedString\n3DES Encrypted: $tripleDesEncryptedString"
+    }
+}

demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/output.txt

@@ -0,0 +1,13 @@
+
+
+┌─────────────────┐
+│ 2 Code Findings │
+└─────────────────┘
+
+  MastgTest_reversed.java
+    ❯❱ weak-encryption
+          Weak encryption like DES,3DES are in use.
+
+           36┆ Cipher cipher = Cipher.getInstance("DES");
+            ⋮┆----------------------------------------
+           59┆ Cipher cipher = Cipher.getInstance("DESede");

demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/run.sh

@@ -0,0 +1 @@
+NO_COLOR=true semgrep -c ../../../../rules/mastg-android-weak-encryption.yaml ./MastgTest_reversed.java --text -o output.txt

demos/android/MASVS-CRYPTO/MASTG_DEMO-0016/MASTG-DEMO-0016.md

@@ -0,0 +1,36 @@
+---
+platform: android
+title: Uses of Insecure Encryption Modes in Cipher with semgrep
+id: MASTG-DEMO-0016
+code: [java]
+test: MASTG-TEST-0221
+---
+
+### Sample
+
+{{ MastgTest.kt # MastgTest_reversed.java }}
+
+### Steps
+
+Let's run our @MASTG-TOOL-0110 rule against the sample code.
+
+{{ ../../../../rules/weak-encryption-modes.yaml }}
+
+{{ run.sh }}
+
+### Observation
+
+The rule has identified five instances in the code file where insecure encryption modes are used.
+
+{{ output.txt }}
+
+### Evaluation
+
+Review each of the reported instances. The following configuration modes will implies the usage of insecure AES/ECB:
+
+- Line 36 using Cipher.getInstance("AES") defaults to ECB.
+- Line 55 using Cipher.getInstance("AES/ECB/NoPadding");.
+- Line 76 using Cipher.getInstance("AES/ECB/PKCS5Padding");.
+- Line 95 using Cipher.getInstance("AES/ECB/ISO10126Padding");.
+- Line 118 using Cipher.getInstance("DES/ECB/PKCS5Padding");.
+- Line 141 using Cipher.getInstance("DESede/ECB/PKCS5Padding");.

demos/android/MASVS-CRYPTO/MASTG_DEMO-0016/MastgTest.java

@@ -0,0 +1,158 @@
+package org.owasp.mastestapp;
+
+import android.content.Context;
+import android.util.Base64;
+import java.security.Key;
+import java.util.List;
+import javax.crypto.Cipher;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.DESKeySpec;
+import javax.crypto.spec.DESedeKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import kotlin.Metadata;
+import kotlin.collections.CollectionsKt;
+import kotlin.jvm.internal.Intrinsics;
+import kotlin.text.Charsets;
+import kotlin.text.StringsKt;
+
+/* compiled from: MastgTest.kt */
+@Metadata(d1 = {"\u0000\u001a\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\b\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006J\u000e\u0010\u0007\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\t\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\n\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\u000b\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\f\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\r\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u000e"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "vulnerable3DesEcbPkcs5Padding", "data", "vulnerableAesEcbIso10126Padding", "vulnerableAesEcbNoPadding", "vulnerableAesEcbPkcs5Padding", "vulnerableAesEncryption", "vulnerableDesEcbPkcs5Padding", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+/* loaded from: classes4.dex */
+public final class MastgTest {
+    public static final int $stable = 8;
+    private final Context context;
+
+    public MastgTest(Context context) {
+        Intrinsics.checkNotNullParameter(context, "context");
+        this.context = context;
+    }
+
+    public final String vulnerableAesEncryption(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] key = "1234567890123456".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(key, "this as java.lang.String).getBytes(charset)");
+            SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
+            Cipher cipher = Cipher.getInstance("AES");
+            cipher.init(1, secretKeySpec);
+            byte[] bytes = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String vulnerableAesEcbNoPadding(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] key = "1234567890123456".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(key, "this as java.lang.String).getBytes(charset)");
+            SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
+            Cipher cipher = Cipher.getInstance("AES/ECB/NoPadding");
+            cipher.init(1, secretKeySpec);
+            int paddingLength = 16 - (data.length() % 16);
+            String paddedData = data + StringsKt.repeat("\u0000", paddingLength);
+            byte[] bytes = paddedData.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return StringsKt.trim((CharSequence) encodeToString).toString();
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String vulnerableAesEcbPkcs5Padding(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] key = "1234567890123456".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(key, "this as java.lang.String).getBytes(charset)");
+            SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
+            Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
+            cipher.init(1, secretKeySpec);
+            byte[] bytes = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String vulnerableAesEcbIso10126Padding(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] key = "1234567890123456".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(key, "this as java.lang.String).getBytes(charset)");
+            SecretKeySpec secretKeySpec = new SecretKeySpec(key, "AES");
+            Cipher cipher = Cipher.getInstance("AES/ECB/ISO10126Padding");
+            cipher.init(1, secretKeySpec);
+            byte[] bytes = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String vulnerableDesEcbPkcs5Padding(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] bytes = "12345678".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            DESKeySpec keySpec = new DESKeySpec(bytes);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DES");
+            Key generateSecret = keyFactory.generateSecret(keySpec);
+            Intrinsics.checkNotNullExpressionValue(generateSecret, "generateSecret(...)");
+            Key secretKey = generateSecret;
+            Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
+            cipher.init(1, secretKey);
+            byte[] bytes2 = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes2);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String vulnerable3DesEcbPkcs5Padding(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] bytes = "123456789012345678901234".getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            DESedeKeySpec keySpec = new DESedeKeySpec(bytes);
+            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("DESede");
+            Key generateSecret = keyFactory.generateSecret(keySpec);
+            Intrinsics.checkNotNullExpressionValue(generateSecret, "generateSecret(...)");
+            Key secretKey = generateSecret;
+            Cipher cipher = Cipher.getInstance("DESede/ECB/PKCS5Padding");
+            cipher.init(1, secretKey);
+            byte[] bytes2 = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes2, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes2);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNullExpressionValue(encodeToString, "encodeToString(...)");
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
+    public final String mastgTest() {
+        List results = CollectionsKt.listOf((Object[]) new String[]{"AES Default: " + vulnerableAesEncryption("Hello from OWASP MASTG!"), "AES ECB NoPadding: " + vulnerableAesEcbNoPadding("Hello from OWASP MASTG!"), "AES ECB PKCS5Padding: " + vulnerableAesEcbPkcs5Padding("Hello from OWASP MASTG!"), "AES ECB ISO10126Padding: " + vulnerableAesEcbIso10126Padding("Hello from OWASP MASTG!"), "DES ECB PKCS5Padding: " + vulnerableDesEcbPkcs5Padding("Hello from OWASP MASTG!"), "3DES ECB PKCS5Padding: " + vulnerable3DesEcbPkcs5Padding("Hello from OWASP MASTG!")});
+        return CollectionsKt.joinToString$default(results, "\n", null, null, 0, null, null, 62, null);
+    }
+}