Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive when dealing with basic authentication's and Base64 encoding #816

Closed
leandrorodrigueszup opened this issue Nov 24, 2021 · 5 comments · Fixed by #974
Closed

False positive when dealing with basic authentication's and Base64 encoding #816

leandrorodrigueszup opened this issue Nov 24, 2021 · 5 comments · Fixed by #974
Assignees
@matheusalcantarazup
Labels
good first issue Good for newcomers kind/bug Something isn't working kind/false-positive This issue is related with false positive project/horusec-engine This issue is related to the project https://github.com/ZupIT/horusec-engine

Comments

@leandrorodrigueszup
Copy link

What happened:
Horusec reports that this code:

Code .addContentType("application/x-www-form-urlencoded")

as: Basic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.

Maybe I'm wrong but, why is this a base64 security issue?

What you expected to happen:

Not be reported as a vulnerability.

How to reproduce it (as minimally and precisely as possible):

Create a minimal kotlin project that make a http request with the Content-Type header set as application/x-www-form-urlencoded

Environment:

  • Horusec version (use horusec version): v1.10.3
  • Operating System: Ubuntu 20.04
@leandrorodrigueszup leandrorodrigueszup added the kind/bug Something isn't working label Nov 24, 2021
@matheusalcantarazup
Copy link
Contributor

matheusalcantarazup commented Nov 24, 2021
edited
Loading

I think that the problem is with the regex from rules HS-JVM-38. Since we have a .encode pattern on rule the regex match the urlencoded string.

Thank very much for notice this.

Btw I think that would be better you upgrade your horusec version to the latest version. We do not support the v1.10.3 version.

@leandrorodrigueszup
Copy link
Author

I'm downloading from here: https://horusec.io/bin/latest/linux_x64/horusec. Is it wrong?

@matheusalcantarazup
Copy link
Contributor

I'm downloading from here: https://horusec.io/bin/latest/linux_x64/horusec. Is it wrong?

This is the old URL for download, only for v1 versions. You should follow the installation process from documentation.

The README.md also contains the installation processes.

@wiliansilvazup wiliansilvazup reopened this Dec 1, 2021
@matheusalcantarazup matheusalcantarazup added the good first issue Good for newcomers label Dec 1, 2021
@matheusalcantarazup matheusalcantarazup added the project/horusec-engine This issue is related to the project https://github.com/ZupIT/horusec-engine label Jan 21, 2022
@jonybuzz
Copy link

Just to add a few more examples of this case:

    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369644152Z",
      "vulnerabilities": {
        "vulnerabilityID": "f8adeddd-94c4-4a7c-aa09-ae0a5aa6659e",
        "line": "56",
        "column": "54",
        "confidence": "LOW",
        "file": "build.gradle",
        "code": "runtimeOnly \"net.logstash.logback:logstash-logback-encoder:${logstashLogbackEncoder}\"",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "5fb1e62a4d2ff3179b9f4e8192ef0d2c84ca2855559e4091841412ae4401fc69"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369740464Z",
      "vulnerabilities": {
        "vulnerabilityID": "7e26125a-fb6b-4069-8c15-2a9ba4486bdd",
        "line": "11",
        "column": "8",
        "confidence": "LOW",
        "file": "src/main/resources/conf/logback-access.xml",
        "code": "<encoder class=\"net.logstash.logback.encoder.AccessEventCompositeJsonEncoder\">",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "5cd9c5a7143a4449dbfe8b60b74cb39f0fb256f2b4d890f3da16540c16dd390f"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369742424Z",
      "vulnerabilities": {
        "vulnerabilityID": "80e4b39f-4e9c-4144-828e-e6adeace9b4e",
        "line": "11",
        "column": "44",
        "confidence": "LOW",
        "file": "src/main/resources/conf/logback-access.xml",
        "code": "<encoder class=\"net.logstash.logback.encoder.AccessEventCompositeJsonEncoder\">",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "5cd9c5a7143a4449dbfe8b60b74cb39f0fb256f2b4d890f3da16540c16dd390f"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369744534Z",
      "vulnerabilities": {
        "vulnerabilityID": "1824609c-f7f4-4131-a6f4-5dc681e2fc74",
        "line": "56",
        "column": "9",
        "confidence": "LOW",
        "file": "src/main/resources/conf/logback-access.xml",
        "code": "</encoder>",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "a1e700eb2d8ff38f3f882a991b6eaaecc2c1a8e3cf9b72450e62ae15af3123da"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369746484Z",
      "vulnerabilities": {
        "vulnerabilityID": "017362d8-09d8-4fe4-b3b8-123b3c188628",
        "line": "5",
        "column": "8",
        "confidence": "LOW",
        "file": "src/main/resources/logback-spring.xml",
        "code": "<encoder class=\"net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder\">",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "12c6199a7f57c3519bdf969af677b05c1db93331a3624dac40b9b74482ca03f9"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369748684Z",
      "vulnerabilities": {
        "vulnerabilityID": "3cac137d-33ea-47e7-9998-7ee60202bd72",
        "line": "5",
        "column": "44",
        "confidence": "LOW",
        "file": "src/main/resources/logback-spring.xml",
        "code": "<encoder class=\"net.logstash.logback.encoder.LoggingEventCompositeJsonEncoder\">",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "12c6199a7f57c3519bdf969af677b05c1db93331a3624dac40b9b74482ca03f9"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369750684Z",
      "vulnerabilities": {
        "vulnerabilityID": "72183a59-bd81-4391-b714-382c9788376a",
        "line": "36",
        "column": "9",
        "confidence": "LOW",
        "file": "src/main/resources/logback-spring.xml",
        "code": "</encoder>",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "7e84dc1cd7475a246d0e24436d559ea467df84d011c0238e2e82d8e699550423"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369752744Z",
      "vulnerabilities": {
        "vulnerabilityID": "d3d0de8c-8f09-4605-9874-7953624a60dd",
        "line": "40",
        "column": "8",
        "confidence": "LOW",
        "file": "src/main/resources/logback-spring.xml",
        "code": "<encoder>",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "452e863e3037f72516ace041eab41fbb34822f911a9b6e0b54f35a7efd2485ea"
      }
    },
    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369754694Z",
      "vulnerabilities": {
        "vulnerabilityID": "d4ac3492-0c53-4390-93d9-ef96c8d75f4d",
        "line": "42",
        "column": "9",
        "confidence": "LOW",
        "file": "src/main/resources/logback-spring.xml",
        "code": "</encoder>",
        "details": "Base64 Encode\nBasic authentication's only means of obfuscation is Base64 encoding. Since Base64 encoding is easily recognized and reversed, it offers only the thinnest veil of protection to your users, and should not be used.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "MEDIUM",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "29ae040f4035ee4b622785cf25f94ca41e43aca31526c446a544c6db4f742e19"
      }
    }

@nathanmartinszup
Copy link
Contributor

Thanks @jonybuzz, it's gonna help a lot.

@nathanmartinszup nathanmartinszup added the kind/false-positive This issue is related with false positive label Jan 28, 2022
@matheusalcantarazup matheusalcantarazup self-assigned this Feb 7, 2022
matheusalcantarazup added a commit that referenced this issue Feb 7, 2022
@matheusalcantarazup
engines/jvm:fix - false positives on base64 encode/decode
56ea448 
Fixes #816

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
@matheusalcantarazup matheusalcantarazup mentioned this issue Feb 7, 2022
Merged
matheusalcantarazup added a commit that referenced this issue Feb 7, 2022
@matheusalcantarazup
engines/jvm:fix - false positives on base64 encode/decode
7bd5c81 
Previously the rules of encode/decode Base64 was reporting any string
that had the value encode/decode which was generating a lot of false
positive. This commit improve the regex of these rules to catch only
the method call that match encode or decode on name.

The type of rule HS-JVM-24 was changed from AndMatch to OrMatch to
follow the same behaviour of HS-JVM-28.

Fixes #816

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
matheusalcantarazup added a commit that referenced this issue Feb 7, 2022
@matheusalcantarazup
engines/jvm:fix - false positives on base64 encode/decode
46a22c1 
Previously the rules of encode/decode Base64 was reporting any string
that had the value encode/decode which was generating a lot of false
positive. This commit improve the regex of these rules to catch only
the method call that match encode or decode on name.

The type of rule HS-JVM-24 was changed from AndMatch to OrMatch to
follow the same behaviour of HS-JVM-28.

Fixes #816

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
matheusalcantarazup added a commit that referenced this issue Feb 7, 2022
@matheusalcantarazup
engines/jvm:fix - false positives on base64 encode/decode
22608d9 
Previously the rules of encode/decode Base64 was reporting any string
that had the value encode/decode which was generating a lot of false
positive. This commit improve the regex of these rules to catch only
the method call that match encode or decode on name.

The type of rule HS-JVM-24 was changed from AndMatch to OrMatch to
follow the same behaviour of HS-JVM-28.

Fixes #816

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
matheusalcantarazup added a commit that referenced this issue Feb 8, 2022
@matheusalcantarazup
engines/jvm:fix - false positives on base64 encode/decode
2e619c9 
Previously the rules of encode/decode Base64 was reporting any string
that had the value encode/decode which was generating a lot of false
positive. This commit improve the regex of these rules to catch only
the method call that match encode or decode on name.

The type of rule HS-JVM-24 was changed from AndMatch to OrMatch to
follow the same behaviour of HS-JVM-28.

Fixes #816

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
wiliansilvazup pushed a commit that referenced this issue Feb 9, 2022
@matheusalcantarazup
engines/jvm:fix - false positives on base64 encode/decode (#974)
c4184c5 
Previously the rules of encode/decode Base64 was reporting any string
that had the value encode/decode which was generating a lot of false
positive. This commit improve the regex of these rules to catch only
the method call that match encode or decode on name.

The type of rule HS-JVM-24 was changed from AndMatch to OrMatch to
follow the same behaviour of HS-JVM-28.

Fixes #816

Signed-off-by: Matheus Alcantara <matheus.alcantara@zup.com.br>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matheusalcantarazup matheusalcantarazup

Labels
good first issue Good for newcomers kind/bug Something isn't working kind/false-positive This issue is related with false positive project/horusec-engine This issue is related to the project https://github.com/ZupIT/horusec-engine
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

engines/jvm:fix - false positives on base64 encode/decode ZupIT/horusec
5 participants
@jonybuzz @nathanmartinszup @wiliansilvazup @leandrorodrigueszup @matheusalcantarazup