You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are reporting this since in your readme you mention that “Weak or improper cryptography use” is attempted to be found.
We believe this may be due to underlying implementation or design gaps.
Here are the details of our analysis and the cryptographic misuses:
Using QARK version 4.0.0
Using Python version 3.5.2
Using OpenJDK version 1.8.0_232 64 bit
Running on Ubuntu: 18.04 Kernel: 4.4.0-174-generic
Each cryptographic vulnerability was generated as a barebones Java project that only contained a single vulnerability in the main function and used up to two java source files. Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).
Replacing a Secure Parameter with an Insecure Parameter:
We are reporting this since in your readme you mention that “Weak or improper cryptography use” is attempted to be found.
We believe this may be due to underlying implementation or design gaps.
Here are the details of our analysis and the cryptographic misuses:
Using QARK version 4.0.0
Using Python version 3.5.2
Using OpenJDK version 1.8.0_232 64 bit
Running on Ubuntu: 18.04 Kernel: 4.4.0-174-generic
Each cryptographic vulnerability was generated as a barebones Java project that only contained a single vulnerability in the main function and used up to two java source files. Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).
Replacing a Secure Parameter with an Insecure Parameter:
Replacing an Insecure Parameter with an Insecure Parameter:
where “AES” by itself is insecure as it defaults to using ECB.
Transforming string case, e.g., from lower to upper case:
Replacing a noisy version of insecure parameters:
Inserting an Insecure Parameter via chaining method calls:
where
obj.A().getCipherName()
returns the secure value, butobj.A().B().getCipherName()
, andobj.B().getCipherName()
return the insecure value.Please let me know if you need any additional information (e.g., logs from our side) in fixing these issues.
The text was updated successfully, but these errors were encountered: