Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2087

Weak encryption should not be used

    XMLWordPrintable

    Details

    • Type: Vulnerability Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Use a stronger algorithm to encrypt this password.
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, C, C++, Cobol, Java, JavaScript, Objective-C, PHP, Python, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-261
    • OWASP:
      A3

      Description

      Security through obscurity is no security at all, and the use of Base64 encoding to obscure a password will only slow an attacker down for seconds, at the most. Instead, passwords should be encrypted with private keys that are at least 128 bits in length.

      This rule checks for the use of Base64 decoding on values that are then used in database and LDAP connections.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2088 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: