mobsf.mobsfscan.cbc_static_iv.cbc_static_iv

MobSF

Author

505

Download Count*

GPLv3

License

The IV for AES CBC mode should be random. A static IV makes the ciphertext vulnerable to Chosen Plaintext Attack.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: cbc_static_iv
    patterns:
      - pattern-either:
          - pattern: |
              byte[] $X = {...};
              ...
              $Y =  new IvParameterSpec($X, ...);
              ...
              $C.getInstance("=~/AES/CBC.*/i");
          - pattern: |
              byte[] $X = "...".$FUNC(...);
              ...
              $Y =  new IvParameterSpec($X, ...);
              ...
              $C.getInstance("=~/AES/CBC.*/i");
    message: The IV for AES CBC mode should be random. A static IV makes the
      ciphertext vulnerable to Chosen Plaintext Attack.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: cwe-329
      owasp-mobile: m5
      masvs: crypto-5
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#predictable-initialization-vector
      license: LGPL-3.0-or-later

Short Link: https://sg.run/kkb2