Security
cookie-missing-secure-flag
cookie-missing-secure-flag
cookie-missing-httponly
cookie-missing-httponly
gcm-detection
gcm-detection
GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-323: Reusing a Nonce, Key Pair in Encryption
OWASP:
- A02:2021 - Cryptographic Failures
bad-hexa-conversion
bad-hexa-conversion
‘Integer.toHexString()’ strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use ‘String.format(“%02X”, …)’ instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-704: Incorrect Type Conversion or Cast
OWASP:
- A
- 0
- 3
- :
- 2
- 0
- 1
- 7
-
- -
-
- S
- e
- n
- s
- i
- t
- i
- v
- e
-
- D
- a
- t
- a
-
- E
- x
- p
- o
- s
- u
- r
- e
unencrypted-socket
unencrypted-socket
This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by ‘SSLSocketFactory’ or ‘SSLServerSocketFactory’ instead
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-319: Cleartext Transmission of Sensitive Information
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
defaulthttpclient-is-deprecated
defaulthttpclient-is-deprecated
DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
ecb-cipher
ecb-cipher
Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
command-injection-formatted-runtime-call
command-injection-formatted-runtime-call
A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
use-of-md5
use-of-md5
Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-328: Use of Weak Hash
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
anonymous-ldap-bind
anonymous-ldap-bind
Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-287: Improper Authentication
OWASP:
- A02:2017 - Broken Authentication
- A07:2021 - Identification and Authentication Failures
no-null-cipher
no-null-cipher
NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(“AES/CBC/PKCS7PADDING”). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-weak-rsa-key
use-of-weak-rsa-key
RSA keys should be at least 2048 bits based on NIST recommendation.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-326: Inadequate Encryption Strength
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
use-of-sha1
use-of-sha1
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures