mobsf.mobsfscan.crypto.rsa_no_oeap.rsa_no_oeap

MobSF

Author

unknown

Download Count*

License

This App uses RSA Crypto without OAEP padding. The purpose of the padding scheme is to prevent a number of attacks on RSA that only work when the encryption is performed without padding.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: rsa_no_oeap
    patterns:
      - pattern-either:
          - pattern: |
              Cipher.getInstance($X, ...)
          - pattern: |
              javax.crypto.Cipher.getInstance($X, ...)
      - metavariable-regex:
          metavariable: $X
          regex: (?i:.*rsa/.+/nopadding.*)
    message: This App uses RSA Crypto without OAEP padding. The purpose of the
      padding scheme is to prevent a number of attacks on RSA that only work
      when the encryption is performed without padding.
    languages:
      - java
    severity: ERROR
    metadata:
      cwe: cwe-780
      owasp-mobile: m5
      masvs: crypto-3
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#mobile-app-cryptography
      license: LGPL-3.0-or-later

Short Link: https://sg.run/ZZED