/
weak_encryption.yml
132 lines (125 loc) · 3.3 KB
/
weak_encryption.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
patterns:
- pattern: |
Digest::SHA1.hexidigest()
- pattern: |
Digest::MD5.hexdigest()
- pattern: |
$<VAR>.$<METHOD>($<_>)
filters:
- variable: VAR
detection: rc4_init
- variable: METHOD
values:
- encrypt
- encrypt!
- decrypt
- pattern: |
$<VAR>.$<METHOD>($<_>)
filters:
- variable: VAR
detection: openssl_rsa_init
- variable: METHOD
values:
- private_decrypt
- private_encrypt
- public_decrypt
- public_encrypt
- pattern: |
$<VAR>.$<METHOD>($<_>)
filters:
- variable: VAR
detection: openssl_rsa_init
- variable: METHOD
values:
- export
- to_pem
- to_s
- pattern: |
$<VAR>.$<METHOD>($<_>)
filters:
- variable: VAR
detection: openssl_dsa_init
- variable: METHOD
values:
- export
- to_pem
- to_s
- pattern: |
$<VAR>.$<METHOD>()
filters:
- variable: VAR
detection: blowfish_init
- variable: METHOD
values:
- encrypt_pair
- encrypt_string
- decrypt_pair
- decrypt_string
- pattern: |
$<VAR>.$<METHOD> do
$<_>
end
filters:
- variable: VAR
detection: blowfish_init
- variable: METHOD
values:
- encrypt_block
- decrypt_block
- pattern: |
$<VAR>.$<METHOD> {
$<_>
}
filters:
- variable: VAR
detection: blowfish_init
- variable: METHOD
values:
- encrypt_block
- decrypt_block
languages:
- ruby
auxiliary:
- id: rc4_init
patterns:
- |
RC4.new()
- id: openssl_rsa_init
patterns:
- |
OpenSSL::PKey::RSA.new()
- id: openssl_dsa_init
patterns:
- |
OpenSSL::PKey::DSA.new()
- id: blowfish_init
patterns:
- |
Crypt::Blowfish.new()
trigger: presence
severity:
default: low # FIXME: warning
metadata:
description: "Avoid weak encryption libraries."
remediation_message: |
## Description
A weak encryption or hashing library can lead to data breaches and greater security risk. This rule checks for the use of weak encryption and hashing libraries or algorithms.
## Remediations
According to [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption): MD5, RC4, DES, Blowfish, SHA1. 1024-bit RSA or DSA, 160-bit ECDSA (elliptic curves), 80/112-bit 2TDEA (two key triple DES) are considered as weak hash/encryption algorithms and therefor shouldn't be used.
❌ Avoid libraries and algorithms with known weaknesses:
```ruby
Digest::SHA1.hexdigest 'weak password encryption'
Crypt::Blowfish.new("weak password encryption")
RC4.new("weak password encryption")
OpenSSL::PKey::RSA.new 1024
OpenSSL::PKey::DSA.new 1024
Digest::MD5.hexdigest 'unsecure string'
```
✅ Instead, we recommend using bcrypt:
```ruby
BCrypt::Password.create('iLOVEdogs123')
```
## Resources
- [BCrypt Explained](https://dev.to/sylviapap/bcrypt-explained-4k5c)
dsr_id: DSR-7
id: ruby_lang_weak_encryption