mobsf.mobsfscan.crypto.weak_iv.weak_iv

MobSF

Author

unknown

Download Count*

License

The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00" or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: weak_iv
    patterns:
      - pattern-either:
          - pattern: |
              byte[] $X = {
                0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
              };
              ...
              $Y =  new IvParameterSpec($X, ...);
          - pattern: |
              byte[] $X = {
                0x01,0x02,0x03,0x04,0x05,0x06,0x07
              };
              ...
              $Y =  new IvParameterSpec($X, ...);
    message: The App may use weak IVs like "0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00"
      or "0x01,0x02,0x03,0x04,0x05,0x06,0x07". Not using a random IV makes the
      resulting ciphertext much more predictable and susceptible to a dictionary
      attack.
    languages:
      - java
    severity: WARNING
    metadata:
      cwe: cwe-1204
      owasp-mobile: m5
      masvs: crypto-5
      reference: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#mobile-app-cryptography
      license: LGPL-3.0-or-later
      vulnerability_class:
        - Other

Short Link: https://sg.run/LpZr