Horusec Java

Nesta seção, você vai encontrar mais informações sobre vulnerabilidades que o Horusec encontra em projetos Java.

O que é?

O Horusec-Java é uma ferramenta SAST criado pela equipe do Horusec para fazer a busca de vulnerabilidades em projetos java.

Exemplos de vulnerabilidades

File Is World Readable

Indica que o código está vulnerável e que, por isso, qualquer app consegue ler o arquivo.

The file is World Readable. Any App can read from the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.

Exemplo de código vulnerável:

fos = openFileOutput(filename, MODE_WORLD_READABLE);
fos.write(userInfo.getBytes());

Exemplo de código não vulnerável:

fos = openFileOutput(filename, MODE_PRIVATE);

File Is World Writable

Indica que o código está vulnerável e que, por isso, qualquer app pode escrever no arquivo.

The file is World Writable. Any App can write to the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.

Exemplo de código vulnerável:

fos = openFileOutput(filename, MODE_WORLD_WRITABLE);
fos.write(userInfo.getBytes());

Exemplo de código não vulnerável:

fos = openFileOutput(filename, MODE_PRIVATE);

No Write External Content

Indica que o código está sensível e qualquer app pode ler ou escrever no armazenamento externo do seu arquivo.

App can read/write to External Storage. Any App can read data written to External Storage. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.
This rule raises an issue when the following functions are called:

  • android.os.Environment.getExternalStorageDirectory
  • android.os.Environment.getExternalStoragePublicDirectory
  • android.content.Context.getExternalFilesDir
  • android.content.Context.getExternalFilesDirs
  • android.content.Context.getExternalMediaDirs
  • android.content.Context.getExternalCacheDir
  • android.content.Context.getExternalCacheDirs
  • android.content.Context.getObbDir
  • android.content.Context.getObbDirs

Exemplo de código sensível:

import android.content.Context;
import android.os.Environment;

public class AccessExternalFiles {

    public void accessFiles(Context context) {
        Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_PICTURES); // Sensitive
        context.getExternalFilesDir(Environment.DIRECTORY_PICTURES); // Sensitive
    }
}

No use IVs weak

Indica que o aplicativo está usando um IVs fraco e que, por isso, está mais suscetível a ataques no seu diretório.

The App may use weak IVs like 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 or 0x01,0x02,0x03,0x04,0x05,0x06,0x07. Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack. For more information checkout the CWE-329 (https://cwe.mitre.org/data/definitions/329.html) advisory.

This App may have root detection capabilities

Indica risco de que a raiz do aplicativo esteja com suas capacidades debilitadas. Isso pode acontecer se existir qualquer um dos códigos a seguir:

  • .contains("test-keys")
  • /system/app/Superuser.apk
  • isDeviceRooted()
  • /system/bin/failsafe/su
  • /system/sd/xbin/su
  • "/system/xbin/which", "su"
  • RootTools.isAccessGiven()

Set or Read Clipboard data

Indica uma vulnerabilidade encontrada quando você faz um set ou lê o conteúdo do seu clipboard usando qualquer um dos códigos a seguir:

  • content.ClipboardManager
  • CLIPBOARD_SERVICE
  • ClipboardManager

Message Digest

Indica que um algoritmo não é mais seguro por ser muito fácil de criar colisões no seu hash.

The MD5 algorithm and its successor, SHA-1, are no longer considered secure, because it is too easy to create hash collisions with them. That is, it takes too little computational effort to come up with a different input that produces the same MD5 or SHA-1 hash, and using the new, same-hash value gives an attacker the same access as if he had the originally-hashed value. This applies as well to the other Message-Digest algorithms: MD2, MD4, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160.

Exemplo de código vulnerável:

MyProprietaryMessageDigest extends MessageDigest {
    @Override
    protected byte[] engineDigest() {
        [...]
        //Creativity is a bad idea
        return [...];
    }
}

Exemplo de código não vulnerável:

MessageDigest sha256Digest = MessageDigest.getInstance("SHA256");
sha256Digest.update(password.getBytes());

Overly permissive file permission

Indica que houve um permissionamento excessivo ao arquivo, o que pode deixá-lo vulnerável a ataques.

It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. For more information checkout the CWE-732 (https://cwe.mitre.org/data/definitions/732.html) advisory.

Exemplo de código vulnerável:

Set<PosixFilePermission> perms = new HashSet<>();
perms.add(PosixFilePermission.OWNER_READ);
perms.add(PosixFilePermission.OWNER_WRITE);
perms.add(PosixFilePermission.OWNER_EXECUTE);

perms.add(PosixFilePermission.GROUP_READ);
perms.add(PosixFilePermission.GROUP_WRITE);
perms.add(PosixFilePermission.GROUP_EXECUTE);

perms.add(PosixFilePermission.OTHERS_READ);
perms.add(PosixFilePermission.OTHERS_WRITE);
perms.add(PosixFilePermission.OTHERS_EXECUTE);

Exemplo de código não vulnerável:

Set<PosixFilePermission> perms = new HashSet<>();
perms.add(PosixFilePermission.OWNER_READ);
perms.add(PosixFilePermission.OWNER_WRITE);
perms.add(PosixFilePermission.OWNER_EXECUTE);

perms.add(PosixFilePermission.GROUP_READ);
perms.add(PosixFilePermission.GROUP_WRITE);
perms.add(PosixFilePermission.GROUP_EXECUTE);

DES, DESede, RSA is insecure

Indica que o DES, RSA ou DESede não estão mais seguros.

DES is considered strong ciphers for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.

Exemplo de código vulnerável:

Cipher c = Cipher.getInstance("DES/ECB/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);

// =========== //

Cipher c = Cipher.getInstance("DESede/ECB/PKCS5Padding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);

// =========== //

Cipher.getInstance("RSA/NONE/NoPadding")

Exemplo de código não vulnerável:

Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);

// =========== //

Cipher c = Cipher.getInstance("AES/GCM/NoPadding");
c.init(Cipher.ENCRYPT_MODE, k, iv);
byte[] cipherText = c.doFinal(plainText);

// =========== //

Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding")

Hidden elements

Indica que há elementos ocultos e que, por isso, essas informações podem ser vazadas.

Hidden elements in view can be used to hide data from user. But this data can be leaked. For more information checkout the CWE-919 (https://cwe.mitre.org/data/definitions/919.html) advisory.

Weak block mode for Cryptographic Hash Function

Indica que há um fraco bloqueio para entrada no seu hash.

A weak ECB, (a.k.a ‘block mode’) was found in one of your Ciphers. Always use a strong, high entropy hash, for example the SHA-512 with salt options. For more information check:

Weak Cryptographic Hash Function used

Indica que há uma criptografia fraca CHF que pode aumentar o risco de ataque para vazamento de dados.

Using a weak CHF pose a threat to your application security since it can be vulnerable to a number of attacks that could lead to data leaking, improper access of features and resources of your infrastructure and even rogue sessions. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

Possible File With Vulnerability When Open

Indica que um possível arquivo com vulnerabilidade foi aberto.

The file is World Readable and Writable. Any App can read/write to the file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.

Sensitive Information Not Encrypted

Indica que há informações sensíveis não criptografadas.

App can write to App Directory. Sensitive Information should be encrypted. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.

Insecure Random Number Generator

Indica que o app está usando um gerador de números randômicos que não é seguro.

The App uses an insecure Random Number Generator. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory.

No Default Java Hash

Indica que não há um hash Java default, o que enfraquece a segurança do seu projeto.

This App uses Java Hash Code. It’s a weak hash function and should never be used in Secure Crypto Implementation. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

Layout Params Flag Secure

Indica que há atividades que estão evitando a captura de tela quando vão para background da sua aplicação.

No use SQL Cipher

Indica que não há um SWL Cipher e, por isso, o “segredo” de senhas e demais dados sensíveis podem ser descobertos.

This App uses SQL Cipher. But the secret may be hardcoded. For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.

__

Prevent Tap Jacking Attacks

Indica que o app está com fragilidades e que, por isso, pode não prevenir ataques de tapjacking.

This app has capabilities to prevent tapjacking attacks. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.

Prevent Write sensitive information in tmp file

Indica a necessidade de criar um arquivo para previnir ataques a certos dados sensíveis.

App creates temp file. Sensitive information should never be written into a temp file. For more information checkout the CWE-276 (https://cwe.mitre.org/data/definitions/276.html) advisory.

Get Window Flag Secure

Indica quando as capacidades do app de prevenir capturas de telas que venham do Recent Task History/Now On Tap etc.

Exemplo de código vulnerável:

public void disableScreenCapture() {
    getWindow().setFlags(WindowManager.LayoutParams.FLAG_SECURE,
            WindowManager.LayoutParams.FLAG_SECURE);

}

Loading Native Code

Indica quando há problemas para código nativo ser carregado, em especial no caso de biblioteca compartilhada.

Exemplo de código vulnerável:

System.loadLibrary("library")

Dynamic Class and Dexloading

Indica quando há um Dynamic Class and Dexloading.

Exemplo de código vulnerável:

import dalvik.system.DexClassLoader
or
import java.security.ClassLoader
or
import java.net.URLClassLoader
or
import java.security.SecureClassLoader

Java Crypto import

Indica que há um problema na importação de Java Crypto.

Exemplo de código vulnerável:

import javax.crypto
or
import kalium.crypto
or
import bouncycastle.crypto

Starting Service

Indica que há vulnerabilidades ao iniciar aplicação usando StartingService or BindService.

Exemplo de código vulnerável:

startService(...)
or
bindService(...)

Sending Broadcast

Indica que há problemas no Sending Broadcast.

Exemplo de código vulnerável:

sendBroadcast(...)
or
sendOrderedBroadcast(...)
or
sendStickyBroadcast(...)

Local File I/O Operations

Indica possíveis vulnerabilidades no Local File I/O Operations.

Possíveis vulnerabilidades ao usar:

  • OpenFileOutput
  • getSharedPreferences
  • SharedPreferences.Editor
  • getCacheDir
  • getExternalStorageState
  • openOrCreateDatabase

Inter Process Communication

Indica algum problema interno de processar comunicação.

Inter Process Communication

Possíveis vulnerabilidades ao usar:

  • IRemoteService
  • IRemoteService.Stub
  • IBinder

__

DefaultHttpClient with default constructor is not compatible with TLS 1.2

Indica a sua implementação precisa ser atualizada para evitar incompatibilidades com TLS 1.2.

Upgrade your implementation to use one of the recommended constructs and configure https.protocols JVM option to include TLSv1.2. Use SystemDefaultHttpClient instead. For more information checkout (https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https).

Weak SSLContext

Indica que a sua implementação precisa ser atualizada para estar compatível com SSLContext.

Upgrade your implementation to the following, and configure https.protocols JVM option to include TLSv1.2:. Use SSLContext.getInstance(“TLS”). For more information checkout (https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https)

HostnameVerifier that accept any signed certificates

Indica possíveis problemas com HostNameVerifier para trabalhar vulnerabilidades em alguns hosts.

A HostnameVerifier that accept any host are often use because of certificate reuse on many hosts. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

URL rewriting method

Indica que o método de reescrita da URL pode ter alguns riscos de segurança.

URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties. Session ID in the URL can be disclosed in many ways. For more information checkout the (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication) advisory.

Disabling HTML escaping

Indica que o HTML escaping não está funcionando corretamente e, por isso, pode representar riscos de XSS.

Disabling HTML escaping put the application at risk for Cross-Site Scripting (XSS). For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.

Overly permissive CORS policy

Indica que o CORS policy está com excesso de permissionamento, o que pode representar riscos de segurança.

A web server defines which other domains are allowed to access its domain using cross-origin requests. However, caution should be taken when defining the header because an overly permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks. For more information checkout the (https://fetch.spec.whatwg.org/) advisory.

SQL Injection

Indica que os valores do SQL Injection podem não estar sendo passados com segurança.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

SQL Injection With Turbine

Indica mais uma vulnerabilidade associada a SQL Injection.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Turbine API provide a DSL to build query with Java code. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

SQL Injection With Hibernate

Indica mais uma vulnerabilidade associada a SQL Injection.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, Hibernate Criteria can be used. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory and checkout the CWE-564 (https://cwe.mitre.org/data/definitions/564.html) advisory.

SQL Injection With JDO

Indica mais uma vulnerabilidade associada a SQL Injection.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

SQL Injection With JPA

Indica mais uma vulnerabilidade associada a SQL Injection.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

SQL Injection Spring JDBC

Indica mais uma vulnerabilidade associada a SQL Injection.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

SQL Injection JDBC

Indica mais uma vulnerabilidade associada a SQL Injection.

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

Potential LDAP Injection

Indica uma potencial vulnerabilidade com LDAP.

Just like SQL, all inputs passed to an LDAP query need to be passed in safely. Unfortunately, LDAP doesn’t have prepared statement interfaces like SQL. Therefore, the primary defense against LDAP injection is strong input validation of any untrusted data before including it in an LDAP query. For more information checkout the CWE-90 (https://cwe.mitre.org/data/definitions/90.html) advisory.

Potential external control of configuration

Indica possíveis riscos ao permitir controle externo às configurações do sistema.

Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways. An attacker could cause an error by providing a nonexistent catalog name or connect to an unauthorized portion of the database. For more information checkout the CWE-15 (https://cwe.mitre.org/data/definitions/15.html) advisory.

Bad hexadecimal concatenation

Indica uma má concatenação do hexadecimal.

When converting a byte array containing a hash signature to a human readable string, a conversion mistake can be made if the array is read byte by byte. The following sample illustrates the use of the method Integer.toHexString() which will trim any leading zeroes from each byte of the computed hash value. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.

__

NullCipher is insecure

Indica inseguranças relacionadas à NullCipher.

The NullCipher is rarely used intentionally in production applications. It implements the Cipher interface by returning ciphertext identical to the supplied plaintext. In a few contexts, such as testing, a NullCipher may be appropriate. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.

Unsafe hash equals

Indica que o valor secreto do hash pode ser descoberto por invasores devido a problemas em algumas funções.

An attacker might be able to detect the value of the secret hash due to the exposure of comparison timing. When the functions Arrays.equals() or String.equals() are called, they will exit earlier if fewer bytes are matched. For more information checkout the CWE-704 (https://cwe.mitre.org/data/definitions/704.html) advisory.

__

Unvalidated Redirect

Indica problemas de redirecionamento.

Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks. For more information checkout the CWE-601 (https://cwe.mitre.org/data/definitions/601.html) advisory.

__

@RequestMapping methods should be public

Indica possíveis problemas no método @RequestMapping.

A method with a @RequestMapping annotation part of a class annotated with @Controller (directly or indirectly through a meta annotation - @RestController from Spring Boot is a good example) will be called to handle matching web requests. That will happen even if the method is private, because Spring invokes such methods via reflection, without checking visibility. For more information checkout the OWASAP:A6 (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration) advisory.

__

LDAP deserialization should be disabled

Indica que a desirialização do LDAP pode estar desabilitada.

JNDI supports the deserialization of objects from LDAP directories, which is fundamentally insecure and can lead to remote code execution. This rule raises an issue when an LDAP search query is executed with SearchControls configured to allow deserialization. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory.

__

Databases should be password-protected

Indica que as bases de dados precisam de proteção para senhas.

Databases should always be password protected. The use of a database connection with an empty password is a clear indication of a database that is not protected. For more information checkout the CWE-521 (https://cwe.mitre.org/data/definitions/521.html) advisory.

XML parsing vulnerable to XXE

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

XML parsing vulnerable to XXE With XMLInputFactory

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

XML parsing vulnerable to XXE With DocumentBuilder

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

XML parsing vulnerable to XXE With SAXParserFactory

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

XML parsing vulnerable to XXE With TransformerFactory using SchemaFactory

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

__

XML parsing vulnerable to XXE With TransformerFactory

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

__

XML parsing vulnerable to XXE With Dom4j

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

__

XML parsing vulnerable to XXE With Jdom2

Indica vulnerabilidades associadas ao XML.

XML External Entity (XXE) attacks can occur when an XML parser supports XML entities while processing XML received from an untrusted source. For more information checkout the CWE-611 (https://cwe.mitre.org/data/definitions/611.html) advisory.

Insecure Implementation of SSL

Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

Message digest is custom

Implementing a custom MessageDigest is error-prone. NIST recommends the use of SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, or SHA-512/256. For more information checkout the CWE-327 (https://cwe.mitre.org/data/definitions/327.html) advisory.

__

TrustManager that accept any certificates Client

Empty TrustManager implementations are often used to connect easily to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

Server hostnames should be verified during SSL/TLS connections

To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it’s essential to make sure the server presents the right certificate. The certificate’s hostname-specific data should match the server hostname. It’s not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

Server hostnames should be verified during SSL/TLS connections With SimpleEmail

To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it’s essential to make sure the server presents the right certificate. The certificate’s hostname-specific data should match the server hostname. It’s not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

Server hostnames should be verified during SSL/TLS connections With JavaMail’s

To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it’s essential to make sure the server presents the right certificate. The certificate’s hostname-specific data should match the server hostname. It’s not recommended to re-invent the wheel by implementing custom hostname verification. TLS/SSL libraries provide built-in hostname verification functions that should be used. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

TrustManager that accept any certificates Server

Empty TrustManager implementations are often used to connect easily to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

TrustManager that accept any certificates Issuers

Empty TrustManager implementations are often used to connect easily to a host that is not signed by a root certificate authority. As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

WebView Load Files From External Storage

WebView load files from external storage. Files in external storage can be modified by any application. For more information checkout the CWE-919 (https://cwe.mitre.org/data/definitions/919.html) advisory.

__

Insecure Web View Implementation

Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole. For more information checkout the CWE-749 (https://cwe.mitre.org/data/definitions/749.html) advisory.

__

No Use SQL Cipher

Indica problemas relacionados ao uso de SQL Cipher.

This App uses SQL Cipher. SQLCipher provides 256-bit AES encryption to sqlite database files

Possíveis vulnerabilidades ao usar:

  • SQLiteDatabase.loadLibs(...)
  • net.sqlcipher

__

No Use Realm Database With Encryption Key

Indica problemas relacionados ao uso do Realm Database com criptografia.

This App use Realm Database with encryption

Possíveis vulnerabilidades ao usar:

  • io.realm.Realm
  • content.encryptionKey(...)

__

No Use Webview Debugging Enable

Indica problemas relacionados ao WebView remoto.

Remote WebView debugging is enabled. For more information checkout the CWE-215 (https://cwe.mitre.org/data/definitions/215.html) advisory.

__

No Listen To Clipboard

Indica problemas em retornar mudanças do clipboard.

This app listens to Clipboard changes. Some malwares also listen to Clipboard changes.

Possíveis vulnerabilidades ao usar:

  • content.ClipboardManager
  • OnPrimaryClipChangedListener

__

No copy content to clipboard

Indica possíveis problemas ao se copiar dados sensíveis para clipboard.

This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.

Possíveis vulnerabilidades ao usar:

  • content.ClipboardManager
  • setPrimaryClip

No Use Webview Ignoring SSL

Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

__

SQL Injection With SqlUtil

The method identified is susceptible to injection. The input should be validated and properly escaped. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.

__

No Use Frida Server

Indica que há erros quanto ao uso do Frida Server. A mensagem que aparece é esta:

This App detects frida server.

Possíveis vulnerabilidades ao usar:

  • fridaserver
  • 27047 or LIBFRIDA

No Use SSL Pinning Lib

Indica problemas no uso da Lib do SSL Pinning.

This App uses an SSL Pinning Library (org.thoughtcrime.ssl.pinning) to prevent MITM attacks in secure communication channel.

Possíveis vulnerabilidades ao usar:

  • fridaserver
  • 27047 or LIBFRIDA

__

DexGuard Debug Detection

Indica problemas relaciondas a detecção de debug no DexGuard.

DexGuard Debug Detection code to detect wheather an App is debuggable or not is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • DebugDetector.isDebuggable

__

No Use DexGuard Debugger Connected

Indica problemas relacionados à identificação do DexGuard Debugger Detection.

DexGuard Debugger Detection code is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • DebugDetector.isDebuggerConnected

__

No Use DexGuard Emulator Detection

Indica que não foi detectado uso do DexGuard Emulator.

DexGuard Emulator Detection code is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • EmulatorDetector.isRunningInEmulator

__

No Use DexGuard With Debug Key

Indica vulnerabilidades relacionadas ao DexGuard com uso da chave Debug.

DexGuard code to detect wheather the App is signed with a debug key or not is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • DebugDetector.isSignedWithDebugKey

__

No Use DexGuard Root

Identifica a presença do código do DexGuard Root.

DexGuard Root Detection code is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • RootDetector.isDeviceRooted

__

No Use DexGuard

Identifica a presença do código do DexGuard App Tamper.

DexGuard App Tamper Detection code is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • TamperDetector.checkApk

__

No Use DexGuard in signer

Identifica a presença do código DexGuard Signer Certificate Tamper.

DexGuard Signer Certificate Tamper Detection code is identified.

Possíveis vulnerabilidades ao usar:

  • import dexguard.util
  • TamperDetector.checkApk

__

No use package with tamper detection

Indica que não há um pacote de uso no seu tamper detection.

The App may use package signature for tamper detection.

Possíveis vulnerabilidades ao usar:

  • PackageManager.GET_SIGNATURES
  • getPackageName(...)

__

Load and Manipulate Dex Files

Load and Manipulate Dex Files

Possíveis vulnerabilidades ao usar:

  • dalvik.system.PathClassLoader or dalvik.system.DexFile or dalvik.system.DexPathList
  • loadDex or loadClass or DexClassLoader or loadDexFile

__

Obfuscation

Obfuscation

Possíveis vulnerabilidades ao usar:

  • utils.AESObfuscator
  • getObfuscator

__

Execute OS Command

Execute OS Command. For more information checkout the CWE-78 (https://cwe.mitre.org/data/definitions/78.html) advisory.

__

TCP Server Socket

TCP Server Socket

Possíveis vulnerabilidades ao usar:

  • new ServerSocket(...)
  • net.ServerSocket

__

TCP Socket

TCP Socket

Possíveis vulnerabilidades ao usar:

  • new Socket(...)
  • net.Socket

__

UDP Datagram Packet

UDP Datagram Packet

Possíveis vulnerabilidades ao usar:

  • DatagramPacket
  • net.DatagramPacket

__

UDP Datagram Socket

UDP Datagram Socket

Possíveis vulnerabilidades ao usar:

  • net.DatagramPacket
  • DatagramSocket

__

WebView JavaScript Interface

WebView JavaScript Interface

Possíveis vulnerabilidades ao usar:

  • addJavascriptInterface
  • WebView

__

Get Cell Information

Get Cell Information

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getAllCellInfo

__

Get Cell Location

Get Cell Location

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getCellLocation

__

Get Subscriber ID

Get Subscriber ID

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getSubscriberId

__

Get Device ID

Get Device ID

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getDeviceId

__

Get Software Version, IMEI/SV etc

Get Software Version, IMEI/SV etc

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getDeviceSoftwareVersion

__

Get SIM Serial Number

Get SIM Serial Number

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getSimSerialNumber

__

Get SIM Provider Details

Get SIM Provider Details

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getSimOperator

__

Get SIM Operator Name

Get SIM Operator Name

Possíveis vulnerabilidades ao usar:

  • telephony.TelephonyManager
  • getSimOperatorName

__

Query Database of SMS, Contacts etc.

Query Database of SMS, Contacts etc.

Possíveis vulnerabilidades ao usar:

  • content.ContentResolver
  • query

__

Potential Path Traversal (file read)

A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. This rule identifies potential path traversal vulnerabilities. Please consider use this example: new File("resources/images/", FilenameUtils.getName(value_received_in_params)). For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.

__

Potential Path Traversal Using scala API (file read)

A file is opened to read its content. The filename comes from an input parameter. If an unfiltered parameter is passed to this file API, files from an arbitrary filesystem location could be read. Please consider use this example:

val result = Source.fromFile("public/lists/" + FilenameUtils.getName(value_received_in_params)).getLines().mkString

For more information checkout the CWE-22 (https://cwe.mitre.org/data/definitions/22.html) advisory.

__

SMTP Header Injection

If user input is place in a header line, the application should remove or replace new line characters (CR / LF). For more information checkout the CWE-93 (https://cwe.mitre.org/data/definitions/93.html) advisory.

__

Insecure SMTP SSL connection

Some email libraries that enable SSL connections do not verify the server certificate by default. This is equivalent to trusting all certificates. For more information checkout the CWE-297 (https://cwe.mitre.org/data/definitions/297.html) advisory.

__

Storing sensitive data in a persistent cookie for an extended period can lead to a breach of confidentiality or account compromise. For more information checkout the CWE-539 (https://cwe.mitre.org/data/definitions/539.html) advisory.

__

Anonymous LDAP bind

All LDAP queries executed against the context will be performed without authentication and access control. For more information checkout the (https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html) advisory.

__

LDAP Entry Poisoning

If certain attributes are presented, the deserialization of object will be made in the application querying the directory. Object deserialization should be consider a risky operation that can lead to remote code execution. For more information checkout the (https://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection) advisory.

__

Ignoring XML comments in SAML

Security Assertion Markup Language (SAML) is a single sign-on protocol that that used XML. The SAMLResponse message include statements that describe the authenticated user. If a user manage to place XML comments (), it may caused issue in the way the parser extract literal value. For more information checkout the (https://spring.io/blog/2018/03/01/spring-security-saml-and-this-week-s-saml-vulnerability) advisory.

__

Information Exposure Through An Error Message

The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.

__

HTTP Parameter Pollution

Concatenating unvalidated user input into a URL can allow an attacker to override the value of a request parameter. For more information checkout the CAPEC-460 (https://capec.mitre.org/data/definitions/460.html) advisory.

__

AWS Query Injection

Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records. For more information checkout the CWE-943 (https://cwe.mitre.org/data/definitions/943.html) advisory.

__

Potential template injection with Pebble

A malicious user in control of a template can run malicious code on the server-side. Freemarker templates should be seen as scripts. For more information checkout the (https://portswigger.net/research/server-side-template-injection) advisory.

__

Potential template injection with Freemarker

A malicious user in control of a template can run malicious code on the server-side. Freemarker templates should be seen as scripts. For more information checkout the (https://portswigger.net/research/server-side-template-injection) advisory.

Request Dispatcher File Disclosure

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.

__

Spring File Disclosure

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.

__

Potential code injection when using Script Engine

Dynamic code is being evaluate. A careful analysis of the code construction should be made. Malicious code execution could lead to data leakage or operating system compromised. For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory and checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.

Struts File Disclosure

Constructing a server-side redirect path with user input could allow an attacker to download application binaries (including application classes or jar files) or view arbitrary files within protected directories. For more information checkout the CWE-552 (https://cwe.mitre.org/data/definitions/552.html) advisory.

Unsafe Jackson deserialization configuration

Indica configuração não seguras do Jackson datablind.

When the Jackson databind library is used incorrectly the deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation.

Object deserialization is used

Indica problemas relacionados a objetos desirializados.

Object deserialization of untrusted data can lead to remote code execution, if there is a class in classpath that allows the trigger of malicious operation. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory.

Potential code injection when using Spring Expression

Indica potenciais problemas relacionados ao uso da expressão Spring.

A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. For more information checkout the CWE-94 (https://cwe.mitre.org/data/definitions/94.html) advisory and checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.

Indica que cookies foram criados sem a flag de HttpOnly.

A new cookie is created without the HttpOnly flag set. For more information checkout the (https://owasp.org/www-community/HttpOnly) advisory.

WebView with geolocation activated

It is suggested to ask the user for a confirmation about obtaining its geolocation.

__

Use of ESAPI Encryptor

Indica atenção ao uso da criptografia ESAPI.

The ESAPI has a small history of vulnerabilities within the cryptography component. Here is a quick validation list to make sure the Authenticated Encryption is working as expected. For more information checkout the CWE-310 (https://cwe.mitre.org/data/definitions/310.html) advisory.

Static IV

Indica falhas relacionadas ao Static IV.

Initialization vector must be regenerated for each message to be encrypted. For more information checkout the CWE-329 (https://cwe.mitre.org/data/definitions/329.html) advisory.

XML Decoder usage

Indica problemas relacionados ao uso do Decoder XML.

XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory.

__

Potential XSS in Servlet

Indica a presença de XSS no Servlet.

A potential XSS was found. It could be used to execute unwanted JavaScript in a client’s browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.

__

Escaping of special XML characters is disabled

Indica a presença de XSS.

A potential XSS was found. It could be used to execute unwanted JavaScript in a client’s browser. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.

__

Dynamic variable in Spring expression

Sinaliza para uso de expressões spring em variaveis dinâmicas.

A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.

RSA usage with short key

Indica um alerta quanto ao uso de chaves com RSA.

The NIST recommends the use of 2048 bits and higher keys for the RSA algorithm. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.

Blowfish usage with short key

Indica um alerta quanto ao tamanho das chaves suportadas pelo Blowfish.

The Blowfish cipher supports key sizes from 32 bits to 448 bits. A small key size makes the ciphertext vulnerable to brute force attacks. At least 128 bits of entropy should be used when generating the key if use of Blowfish is required. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.

Classes should not be loaded dynamically

Indica possíveis riscos de algumas classes estarem sendo carregadas de forma dinâmica.

Dynamically loaded classes could contain malicious code executed by a static class initializer. I.E. you wouldn’t even have to instantiate or explicitly invoke methods on such classes to be vulnerable to an attack. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.

__

HostnameVerifier.verify should not always return true

Indica que o valor do HostnameVerifier.verify está retornando como true, quando deveria trazer mais informações.

To prevent URL spoofing, HostnameVerifier.verify() methods should do more than simply return true. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.

XPath expressions should not be vulnerable to injection attacks

Indica que expressões XPath estão vulneráveis a certos ataques.

User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing XPath expressions directly from tainted data enables attackers to inject specially crafted values that changes the initial meaning of the expression itself. Successful XPath injection attacks can read sensitive information from XML documents. For more information checkout the CWE-643 (https://cwe.mitre.org/data/definitions/643.html) advisory.

Exceptions should not be thrown from servlet methods

Indica possíveis falhas de segurança em alguns métodos servlet.

Even though the signatures for methods in a servlet include throws IOException, ServletException, it’s a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state. For more information checkout the CWE-600 (https://cwe.mitre.org/data/definitions/600.html) advisory.

I/O function calls should not be vulnerable to path injection attacks

Indica que a função I/O está vulnerável a certos ataques.

User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Constructing file system paths directly from tainted data could enable an attacker to inject specially crafted values, such as ‘../’, that change the initial path and, when accessed, resolve to a path on the filesystem where the user should normally not have access. A successful attack might give an attacker the ability to read, modify, or delete sensitive information from the file system and sometimes even execute arbitrary operating system commands. This is often referred to as a “path traversal” or “directory traversal” attack. For more information checkout the CWE-99 (https://cwe.mitre.org/data/definitions/99.html) advisory and checkout the (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A1-Injection)

ActiveMQConnectionFactory should not be vulnerable to malicious code deserialization

Indica que o ActiveMOConnectionFactory está vulnerável a códigos maliciosos.

Internally, ActiveMQ relies on Java serialization mechanism for marshaling/unmashaling of the message payload. Deserialization based on data supplied by the user could lead to remote code execution attacks, where the structure of the serialized data is changed to modify the behavior of the object being unserialized. For more information checkout the CWE-502 (https://cwe.mitre.org/data/definitions/502.html) advisory

HTTP response headers should not be vulnerable to injection attacks

Indica que a resposta HTTP está vulnerável a certos ataques.

User provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications constructing HTTP response headers based on tainted data could allow attackers to change security sensitive headers like Cross-Origin Resource Sharing headers. This could, for example, enable Cross-Site Scripting (XSS) attacks. Web application frameworks and servers might also allow attackers to inject new line characters in headers to craft malformed HTTP response. In this case the application would be vulnerable to a larger range of attacks like HTTP Response Splitting/Smuggling. Most of the time this type of attack is mitigated by default modern web application frameworks but there might be rare cases where older versions are still vulnerable. As a best practice, applications that use user provided data to construct the response header should always validate the data first. Validation should be based on a whitelist. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory and checkout (https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS)).

OpenSAML2 should be configured to prevent authentication bypass

Indica que o OpenSAML2 não está devidamente configurado.

From a specially crafted file, an attacker having already access to the SAML system with his own account can bypass the authentication mechanism and be authenticated as another user. This is due to the fact that SAML protocol rely on XML format and how the underlying XML parser interprets XML comments. If an attacker manage to change the field identifying the authenticated user with XML comments, he can exploit the vulnerability. For more information checkout the OWASP (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication) advisory.

HttpServletRequest.getRequestedSessionId should not be used

Indica quando há uma sessão com um ID que não foi devidamente autenticado.

Due to the ability of the end-user to manually change the value, the session ID in the request should only be used by a servlet container (E.G. Tomcat or Jetty) to see if the value matches the ID of an an existing session. If it does not, the user should be considered unauthenticated. Moreover, this session ID should never be logged to prevent hijacking of active sessions. For more information checkout the CWE-807 (https://cwe.mitre.org/data/definitions/807) advisory.

LDAP authenticated Analyze your code

Indica atenção caso haja acessos indevidos ao diretório do LDAP.

An LDAP client authenticates to an LDAP server with a “bind request” which provides, among other, a simple authentication method. Anonymous binds and unauthenticated binds allow access to information in the LDAP directory without providing a password, their use is therefore strongly discouraged. For more information checkout the CWE-521 (https://cwe.mitre.org/data/definitions/521.html) advisory and checkout (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication).

Web applications should not have a main method

Indica que as aplicações web não possuem o método main.

Having a main method in a web application opens a door to the application logic that an attacker may never be able to reach (but watch out if one does!), but it is a sloppy practice and indicates that other problems may be present. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.

SecureRandom seeds should not be predictable

Indica que o Secure Random, se usado de forma incorreta, pode enfraquecer a segurança de seus dados.

The java.security.SecureRandom class provides a strong random number generator (RNG) appropriate for cryptography. However, seeding it with a constant or another predictable value will weaken it significantly. In general, it is much safer to rely on the seed provided by the SecureRandom implementation. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory and checkout (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration).


Última modificação 20.05.2021: Fix version 1.0.0 with new links (a868f86)