mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle
MobSFAuthor
unknown
Download Count*
License
The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.
Run Locally
Run in CI
Defintion
rules:
- id: cbc_padding_oracle
patterns:
- pattern-either:
- pattern: |
Cipher.getInstance("AES/CBC/PKCS5Padding")
- pattern: |
Cipher.getInstance("Blowfish/CBC/PKCS5Padding")
- pattern: |
Cipher.getInstance("DES/CBC/PKCS5Padding")
- pattern: |
Cipher.getInstance("AES/CBC/PKCS7Padding")
- pattern: |
Cipher.getInstance("Blowfish/CBC/PKCS7Padding")
- pattern: |
Cipher.getInstance("DES/CBC/PKCS7Padding")
message: The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This
configuration is vulnerable to padding oracle attacks.
languages:
- java
severity: ERROR
metadata:
cwe: cwe-649
owasp-mobile: m5
masvs: crypto-3
reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations
license: LGPL-3.0-or-later
vulnerability_class:
- Other
Short Link: https://sg.run/OjEB