mobsf.mobsfscan.cbc_padding_oracle.cbc_padding_oracle

MobSF

Author

505

Download Count*

License

The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: cbc_padding_oracle
    patterns:
      - pattern-either:
          - pattern: |
              Cipher.getInstance("AES/CBC/PKCS5Padding")
          - pattern: |
              Cipher.getInstance("Blowfish/CBC/PKCS5Padding")
          - pattern: |
              Cipher.getInstance("DES/CBC/PKCS5Padding")
          - pattern: |
              Cipher.getInstance("AES/CBC/PKCS7Padding")
          - pattern: |
              Cipher.getInstance("Blowfish/CBC/PKCS7Padding")
          - pattern: |
              Cipher.getInstance("DES/CBC/PKCS7Padding")
    message: The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This
      configuration is vulnerable to padding oracle attacks.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: cwe-649
      owasp-mobile: m5
      masvs: crypto-3
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations
      license: LGPL-3.0-or-later

Short Link: https://sg.run/N8dz