Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hash Verification #1042

Closed
securitiz opened this issue Feb 1, 2021 · 4 comments
Closed

Hash Verification #1042

securitiz opened this issue Feb 1, 2021 · 4 comments
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 4.2.2

Comments

@securitiz
Copy link

Description

{When creating a File observable, OpenCTI no longer verifies that the MD5 value entered is a legitimate MD5 hash. The same goes for SHA1, SHA256}

Environment

  1. OS (where OpenCTI server runs): { Demo instance }
  2. OpenCTI version: { OpenCTI 4.1.1 }
  3. OpenCTI client: { frontend}
  4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create new File object
  2. Enter random digits as MD5
  3. Click "Create"

Expected Output

Error - this is not a valid hash

Actual Output

Successfully created File object

Additional information

{
image

}
@richard-julien richard-julien added the feature use for describing a new feature to develop label Feb 1, 2021
@richard-julien
Copy link
Member

Hi @securitiz,

And lib/rules in mind to check that? Thanks

@securitiz
Copy link
Author

I'm not intimately familiar with the specs for each hash type, but you could initially check the value length, where:

  • MD5 is 32 characters
  • SHA1 is 40 characters
  • SHA256 is 64 characters

Then you could ensure that all the characters are hexadecimal, (0-9, A-F, a-f).
This could be all verified with regex, and would be a sufficient start

@CyberDaedalus00
Copy link

If you want to be aligned with STIX 2.1 hash values, here are the regex patterns for hash algorithms in the spec:

  • MD5 pattern: "^[a-fA-F0-9]{32}$"
  • SHA-1 pattern: "^[a-fA-F0-9]{40}$"
  • SHA-256 pattern: "^[a-fA-F0-9]{64}$"
  • SHA-512 pattern: "^[a-fA-F0-9]{128}$"
  • SHA3-256 pattern: "^[a-fA-F0-9]{64}$"
  • SHA3-512 pattern: "^[a-fA-F0-9]{128}$"
  • SSDEEP pattern: "^[a-zA-Z0-9/+:.]{1,128}$
  • TLSH pattern: "^[a-zA-Z0-9]{70}$"

@richard-julien
Copy link
Member

Thanks for your insights @securitiz and @CyberDaedalus00 .

SamuelHassine pushed a commit that referenced this issue Feb 13, 2021
[api] Implement hashes verification and observable check in edition (#…
392ada4 
…1042)
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Feb 13, 2021
@SamuelHassine SamuelHassine added this to the Release 4.2.2 milestone Feb 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 4.2.2
Development

No branches or pull requests
4 participants
@richard-julien @SamuelHassine @CyberDaedalus00 @securitiz