File tree Expand file tree Collapse file tree
powershell/ql/src/queries/security/cwe-327 Expand file tree Collapse file tree Original file line number Diff line number Diff line change 2020 preferred as it provides both confidentiality and integrity.
2121 </p >
2222 </recommendation >
23- <example >
24- <p >
25- The following example shows a weak cipher mode (ECB) being used for encryption:
26- </p >
27- <sample language =" powershell"
28- # BAD: Using ECB mode which reveals patterns in encrypted data
29- $aes = [System.Security.Cryptography.Aes]::Create()
30- $aes.Mode = [System.Security.Cryptography.CipherMode]::ECB
31- </sample >
32- <p >
33- The following example shows a recommended approach using CBC mode with a random IV:
34- </p >
35- <sample language =" powershell"
36- # GOOD: Using CBC mode with a random IV
37- $aes = [System.Security.Cryptography.Aes]::Create()
38- $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
39- $aes.GenerateIV()
40- </sample >
41- </example >
4223 <references >
4324 <li >NIST, SP 800-38A: <a href =" https://csrc.nist.gov/publications/detail/sp/800-38a/final" a >.</li >
4425 <li >OWASP: <a href =" https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html" a >.</li >
Original file line number Diff line number Diff line change @@ -18,7 +18,6 @@ import powershell
1818import semmle.code.powershell.ApiGraphs
1919import semmle.code.powershell.dataflow.DataFlow
2020
21-
2221class CryptDeriveKeyCall extends DataFlow:: CallNode {
2322 CryptDeriveKeyCall ( ) {
2423 this = API:: getTopLevelMember ( "system" )
Original file line number Diff line number Diff line change 1818 like PBKDF2, bcrypt, or Argon2.
1919 </p >
2020 </recommendation >
21- <example >
22- <p >
23- The following example shows the use of weak hash algorithms:
24- </p >
25- <sample language =" powershell"
26- # BAD: Using MD5 which is cryptographically broken
27- $md5 = [System.Security.Cryptography.MD5]::Create()
28- $hash = $md5.ComputeHash($data)
29-
30- # BAD: Using SHA1 which has known collision vulnerabilities
31- $sha1 = [System.Security.Cryptography.SHA1]::Create()
32- $hash = $sha1.ComputeHash($data)
33- </sample >
34- <p >
35- The following example shows the recommended approach using SHA-256:
36- </p >
37- <sample language =" powershell"
38- # GOOD: Using SHA-256 which is a strong cryptographic hash
39- $sha256 = [System.Security.Cryptography.SHA256]::Create()
40- $hash = $sha256.ComputeHash($data)
41- </sample >
42- </example >
21+
4322 <references >
4423 <li >NIST, SP 800-131A: <a href =" https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final" a >.</li >
4524 <li >OWASP: <a href =" https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html" a >.</li >
Original file line number Diff line number Diff line change 2121 AES is the current standard for symmetric encryption and is considered secure when used correctly.
2222 </p >
2323 </recommendation >
24- <example >
25- <p >
26- The following examples show the use of weak symmetric algorithms:
27- </p >
28- <sample language =" powershell"
29- # BAD: Using DES which has a 56-bit key
30- $des = [System.Security.Cryptography.DES]::Create()
31-
32- # BAD: Using Triple DES which is deprecated
33- $tdes = [System.Security.Cryptography.TripleDES]::Create()
34-
35- # BAD: Using RC2 which has known weaknesses
36- $rc2 = [System.Security.Cryptography.RC2]::Create()
37- </sample >
38- <p >
39- The following example shows the recommended approach using AES:
40- </p >
41- <sample language =" powershell"
42- # GOOD: Using AES which is the current standard
43- $aes = [System.Security.Cryptography.Aes]::Create()
44- $aes.KeySize = 256
45- $aes.GenerateKey()
46- $aes.GenerateIV()
47- </sample >
48- </example >
24+
4925 <references >
5026 <li >NIST, FIPS 197: <a href =" https://csrc.nist.gov/publications/detail/fips/197/final" a >.</li >
5127 <li >NIST, SP 800-131A: <a href =" https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final" a >.</li >
You can’t perform that action at this time.
0 commit comments