java.lang.security.audit.crypto.ecb-cipher.ecb-cipher
semgrepAuthor
5,552
Download Count*
License
Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
Run Locally
Run in CI
Defintion
rules:
- id: ecb-cipher
metadata:
functional-categories:
- crypto::search::mode::javax.crypto
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#ECB_MODE
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: Cipher in ECB mode is detected. ECB mode produces the same output for
the same input each time which allows an attacker to intercept and replay
the data. Further, ECB mode does not provide any integrity checking. See
https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
severity: WARNING
languages:
- java
patterns:
- pattern: |
Cipher $VAR = $CIPHER.getInstance($MODE);
- metavariable-regex:
metavariable: $MODE
regex: .*ECB.*
Examples
ecb-cipher.java
class ECBCipher {
public void ecbCipher() {
// ruleid: ecb-cipher
Cipher c = Cipher.getInstance("AES/ECB/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);
}
public void noEcbCipher() {
// ok: ecb-cipher
Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);
}
}
Short Link: https://sg.run/Ro9K