CL_ABAP_RANDOM class or its variants) is seeded with a specific constant value, the values returned by GET_NEXT, INT and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.random_gen2 are predictable from the object random_gen1.
DATA: random_gen1 TYPE REF TO cl_abap_random,
random_gen2 TYPE REF TO cl_abap_random,
var1 TYPE i,
var2 TYPE i.
random_gen1 = cl_abap_random=>create( seed = '1234' ).
DO 10 TIMES.
CALL METHOD random_gen1->int
RECEIVING
value = var1.
WRITE:/ var1.
ENDDO.
random_gen2 = cl_abap_random=>create( seed = '1234' ).
DO 10 TIMES.
CALL METHOD random_gen2->int
RECEIVING
value = var2.
WRITE:/ var2.
ENDDO.
random_gen1 and random_gen2 were identically seeded, so var1 = var2rand()) is seeded with a specific value (using a function like srand(unsigned int)), the values returned by rand() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.
srand(2223333);
float randomNum = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum);
randomNum = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum);
srand(2223333);
float randomNum2 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum2);
randomNum2 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum2);
srand(1231234);
float randomNum3 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum3);
randomNum3 = (rand() % 100);
syslog(LOG_INFO, "Random: %1.2f", randomNum3);
randomNum1 and randomNum2 were identically seeded, so each call to rand() after the call which seeds the pseudorandom number generator srand(2223333), will result in the same outputs in the same calling order. For example, the output might resemble the following:
Random: 32.00
Random: 73.00
Random: 32.00
Random: 73.00
Random: 15.00
Random: 75.00
math.Rand.New(Source)), the values returned by math.Rand.Int() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.
randomGen := rand.New(rand.NewSource(12345))
randomInt1 := randomGen.nextInt()
randomGen.Seed(12345)
randomInt2 := randomGen.nextInt()
nextInt() after the call that seeded the pseudorandom number generator (randomGen.Seed(12345)), results in the same outputs and in the same order.Random) is seeded with a specific value (using a function such as Random.setSeed()), the values returned by Random.nextInt() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.Random object randomGen2 are predictable from the Random object randomGen1.
Random randomGen1 = new Random();
randomGen1.setSeed(12345);
int randomInt1 = randomGen1.nextInt();
byte[] bytes1 = new byte[4];
randomGen1.nextBytes(bytes1);
Random randomGen2 = new Random();
randomGen2.setSeed(12345);
int randomInt2 = randomGen2.nextInt();
byte[] bytes2 = new byte[4];
randomGen2.nextBytes(bytes2);
randomGen1 and randomGen2 were identically seeded, so randomInt1 == randomInt2, and corresponding values of arrays bytes1[] and bytes2[] are equal.Random) is seeded with a specific value (using function such as Random(Int)), the values returned by Random.nextInt() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.Random object randomGen2 are predictable from the Random object randomGen1.
val randomGen1 = Random(12345)
val randomInt1 = randomGen1.nextInt()
val byteArray1 = ByteArray(4)
randomGen1.nextBytes(byteArray1)
val randomGen2 = Random(12345)
val randomInt2 = randomGen2.nextInt()
val byteArray2 = ByteArray(4)
randomGen2.nextBytes(byteArray2)
randomGen1 and randomGen2 were identically seeded, so randomInt1 == randomInt2, and corresponding values of arrays byteArray1 and byteArray2 are equal.
...
import random
random.seed(123456)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
random.seed(123456)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
...
randint() after the call that seeded the pseudorandom number generator (random.seed(123456)), will result in the same outputs in the same output in the same order. For example, the output might resemble the following:
Random: 81
Random: 80
Random: 3
Random: 81
Random: 80
Random: 3
Random) is seeded with a specific value (using a function like Random.setSeed()), the values returned by Random.nextInt() and similar methods which return or assign values are predictable for an attacker that can collect a number of PRNG outputs.Random object randomGen2 are predictable from the Random object randomGen1.
val randomGen1 = new Random()
randomGen1.setSeed(12345)
val randomInt1 = randomGen1.nextInt()
val bytes1 = new byte[4]
randomGen1.nextBytes(bytes1)
val randomGen2 = new Random()
randomGen2.setSeed(12345)
val randomInt2 = randomGen2.nextInt()
val bytes2 = new byte[4]
randomGen2.nextBytes(bytes2)
randomGen1 and randomGen2 were identically seeded, so randomInt1 == randomInt2, and corresponding values of arrays bytes1[] and bytes2[] are equal.CL_ABAP_RANDOM (or its variants) should not be initialized with a tainted argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and therefore predict the sequence of values produced by calls to methods including but not limited to: GET_NEXT, INT, FLOAT, PACKED.rand()), which are passed a seed (such as srand()); should not be called with a tainted argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and therefore predict the sequence of values (usually integers) produced by calls to the pseudorandom number generator.ed25519.NewKeyFromSeed(), should not be called with a tainted argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and then can predict the sequence of values produced by calls to the pseudorandom number generator.Random.setSeed() should not be called with a tainted integer argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and therefore predict the sequence of values (usually integers) produced by calls to Random.nextInt(), Random.nextShort(), Random.nextLong(), or returned by Random.nextBoolean(), or set in Random.nextBytes(byte[]).Random.setSeed() should not be called with a tainted integer argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and therefore predict the sequence of values (usually integers) produced by calls to Random.nextInt(), Random.nextLong(), Random.nextDouble(), or returned by Random.nextBoolean(), or set in Random.nextBytes(ByteArray).random.randint()); should not be called with a tainted argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and hence be able to predict the sequence of values (usually integers) produced by calls to the pseudorandom number generator.Random.setSeed() should not be called with a tainted integer argument. Doing so allows an attacker to control the value used to seed the pseudorandom number generator, and therefore predict the sequence of values (usually integers) produced by calls to Random.nextInt(), Random.nextShort(), Random.nextLong(), or returned by Random.nextBoolean(), or set in Random.nextBytes(byte[]).elements in building an HTML sanitizer policy:
...
String elements = prop.getProperty("AllowedElements");
...
public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
.allowElements(elements)
.toFactory();
....
elements.createSocket(), that take in InetAddress as a function parameter, do not perform hostname verification.getInsecure() returns a SSL socket factory with all SSL checks disabled.https://safesecureserver.banking.com would readily accept a certificate issued to https://hackedserver.banking.com. The application would now potentially leak sensitive user information on a broken SSL connection to the hacked server.
URL url = new URL("https://myserver.org");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
SSLSocketFactory used by the URLConnection has not been changed, it will use the default one that will trust all the CAs present in the Android default keystore.
val url = URL("https://myserver.org")
val data = url.readBytes()
SSLSocketFactory used by the URLConnection has not been changed, it will use the default one that will trust all the CAs present in the Android default keystore.
NSString* requestString = @"https://myserver.org";
NSURL* requestUrl = [NSURL URLWithString:requestString];
NSURLRequest* request = [NSURLRequest requestWithURL:requestUrl
cachePolicy:NSURLRequestReloadIgnoringLocalCacheData
timeoutInterval:10.0f];
NSURLConnection* connection = [[NSURLConnection alloc] initWithRequest:request delegate:self];
NSURLConnectionDelegate methods defined to handle certificate verification, it will use the system ones that will trust all the CAs present in the iOS default keystore.
let requestString = NSURL(string: "https://myserver.org")
let requestUrl : NSURL = NSURL(string:requestString)!;
let request : NSURLRequest = NSURLRequest(URL:requestUrl);
let connection : NSURLConnection = NSURLConnection(request:request, delegate:self)!;
NSURLConnectionDelegate methods defined to handle certificate verification, it will use the system ones that will trust all the CAs present in the iOS default keystore.
...
private bool CertificateCheck(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
...
return true;
}
...
HttpWebRequest webRequest = (HttpWebRequest) WebRequest.Create("https://www.myTrustedSite.com");
webRequest.ServerCertificateValidationCallback = CertificateCheck;
WebResponse response = webRequest.GetResponse();
...
...
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
...
...
config := &tls.Config{
// Set InsecureSkipVerify to skip the default validation
InsecureSkipVerify: true,
...
}
conn, err := tls.Dial("tcp", "example.com:443", conf)
..
...
Email email = new SimpleEmail();
email.setHostName("smtp.servermail.com");
email.setSmtpPort(465);
email.setAuthenticator(new DefaultAuthenticator(username, password));
email.setSSLOnConnect(true);
email.setFrom("user@gmail.com");
email.setSubject("TestMail");
email.setMsg("This is a test mail ... :-)");
email.addTo("foo@bar.com");
email.send();
...
smtp.mailserver.com:465, this application would readily accept a certificate issued to "hackedserver.com". The application would now potentially leak sensitive user information on a broken SSL connection to the hacked server.
...
var options = {
key : fs.readFileSync('my-server-key.pem'),
cert : fs.readFileSync('server-cert.pem'),
requestCert: true,
...
}
https.createServer(options);
...
https.Server object is created, the setting requestCert is specified to true, but rejectUnauthorized is not set, which defaults to false. This means that although the server was created with the intention of verifying clients over SSL, connections will still be accepted even if the certificate is not authorized with the list of supplied CAs.
var tls = require('tls');
...
tls.connect({
host: 'https://www.hackersite.com',
port: '443',
...
rejectUnauthorized: false,
...
});
rejectUnauthorized was set to false, it means that unauthorized certificates will be accepted, and a secure connection to the unidentified server will still be created. The application would now potentially leak sensitive user information on a broken SSL connection to the hacked server.NSURLConnectionDelegate to accept any HTTPS certificate:
implementation NSURLRequest (IgnoreSSL)
+ (BOOL)allowsAnyHTTPSCertificateForHost:(NSString *)host
{
return YES;
}
@end
NSURLRequest from Example 1, no warnings or errors will result if the requested server's certificate is self-signed (and therefore unverified). As a result, the application would now potentially leak sensitive user information over the broken SSL connection.
...
import ssl
ssl_sock = ssl.wrap_socket(s)
...
require 'openssl'
...
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode=OpenSSL::SSL::VERIFY_NONE
...
NSURLConnectionDelegate to accept any HTTPS certificate:
class Delegate: NSObject, NSURLConnectionDelegate {
...
func connection(connection: NSURLConnection, canAuthenticateAgainstProtectionSpace protectionSpace: NSURLProtectionSpace?) -> Bool {
return protectionSpace?.authenticationMethod == NSURLAuthenticationMethodServerTrust
}
func connection(connection: NSURLConnection, willSendRequestForAuthenticationChallenge challenge: NSURLAuthenticationChallenge) {
challenge.sender?.useCredential(NSURLCredential(forTrust: challenge.protectionSpace.serverTrust!), forAuthenticationChallenge: challenge)
challenge.sender?.continueWithoutCredentialForAuthenticationChallenge(challenge)
}
}
NSURLConnectionDelegate from Example 1, no warnings or errors will result if the requested server's certificate is self-signed (and therefore unverified). As a result, the application would now potentially leak sensitive user information over the broken SSL connection.NSURLSession class, the SSL/TLS chain validation is handled by your app's authentication delegate method, but instead of providing credentials to authenticate the user (or your app) to the server, your app instead checks the credentials that the server provides during the SSL/TLS handshake, then tells the URL loading system whether it should accept or reject those credentials. The following code shows an NSURLSessionDelgate that just passes proposedCredential of the challenge received back as a credential for the session, effectively bypassing the server verification:
class MySessionDelegate : NSObject, NSURLSessionDelegate {
...
func URLSession(session: NSURLSession, didReceiveChallenge challenge: NSURLAuthenticationChallenge, completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential?) -> Void) {
...
completionHandler(NSURLSessionAuthChallengeDisposition.UseCredential, challenge.proposedCredential)
...
}
...
}
allowBackup attribute to true (the default value) and defining the backupAgent attribute on the <application> tag.Environment.getExternalStorageDirectory() returns a reference to the Android device's external storage. private void WriteToFile(String what_to_write) {
try{
File root = Environment.getExternalStorageDirectory();
if(root.canWrite()) {
File dir = new File(root + "write_to_the_SDcard");
File datafile = new File(dir, number + ".extension");
FileWriter datawriter = new FileWriter(datafile);
BufferedWriter out = new BufferedWriter(datawriter);
out.write(what_to_write);
out.close();
}
}
}
protected void onCreate(Bundle savedInstanceState) {
...
try {
File httpCacheDir = new File(context.getExternalCacheDir(), "http");
long httpCacheSize = 10 * 1024 * 1024; // 10 MiB
HttpResponseCache.install(httpCacheDir, httpCacheSize);
} catch (IOException e) {
Log.i(TAG, "HTTP response cache installation failed:" + e);
}
}
protected void onStop() {
...
HttpResponseCache cache = HttpResponseCache.getInstalled();
if (cache != null) {
cache.flush();
}
}
{app ID}/Library/Caches/com.mycompany.myapp/Cache.db* files.{app ID}/Library/Caches/com.mycompany.myapp/Cache.db* files.Realm database:
Realm realm = Realm.getDefaultInstance();
Realm database:
RLMRealmConfiguration *config = [RLMRealmConfiguration defaultConfiguration];
RLMRealm *realm = [RLMRealm realmWithConfiguration:config error:nil];
Realm database:
let realm = try! Realm()
Access Control Policy that grants full anonymous access to the foo bucket.
GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();
Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("FullControl");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);
AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
Access Control Policy that grants anonymous read ACP access to the foo bucket.
GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();
Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("READ_ACP");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);
AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
Access Control Policy that grants anonymous read access to the foo bucket.
GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();
Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("Read");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);
AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
Access Control Policy that grants anonymous write ACP access to the foo bucket.
GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();
Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("WRITE_ACP");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);
AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
Access Control Policy that grants anonymous write access to the foo bucket.
GetBucketAclRequest bucketAclReq = GetBucketAclRequest.builder().bucket("foo").build();
GetBucketAclResponse getAclRes = s3.getBucketAcl(bucketAclReq);
List<Grant> grants = getAclRes.grants();
Grantee allusers = Grantee.builder().uri("http://acs.amazonaws.com/groups/global/AllUsers").build();
Permission fc_permission = Permission.fromValue("Write");
Grant grant = Grant.builder().grantee(allusers).permission(fc_permission).build();
grants.add(grant);
AccessControlPolicy acl = AccessControlPolicy.builder().grants(grants).build();
...
FINAL(client) = cl_apc_tcp_client_manager=>create(
i_host = ip_adress
i_port = port
i_frame = VALUE apc_tcp_frame(
frame_type =
if_apc_tcp_frame_types=>co_frame_type_terminator
terminator =
terminator )
i_event_handler = event_handler ).
...
client object and the remote server is vulnerable to compromise, because it is transmitted over an unencrypted and unauthenticated channel.
...
HttpRequest req = new HttpRequest();
req.setEndpoint('http://example.com');
HTTPResponse res = new Http().send(req);
...
HttpResponse object, res, might be compromised as it is delivered over an unencrypted and unauthenticated channel.
var account = new CloudStorageAccount(storageCredentials, false);
...
String url = 'http://10.0.2.2:11005/v1/key';
Response response = await get(url, headers: headers);
...
response, might have been compromised as it is delivered over an unencrypted and unauthenticated channel.
helloHandler := func(w http.ResponseWriter, req *http.Request) {
io.WriteString(w, "Hello, world!\n")
}
http.HandleFunc("/hello", helloHandler)
log.Fatal(http.ListenAndServe(":8080", nil))
URL url = new URL("http://www.android.com/");
HttpURLConnection urlConnection = (HttpURLConnection) url.openConnection();
try {
InputStream in = new BufferedInputStream(urlConnection.getInputStream());
readStream(in);
...
}
instream, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.
var http = require('http');
...
http.request(options, function(res){
...
});
...
http.IncomingMessage object,res, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.
NSString * const USER_URL = @"http://localhost:8080/igoat/user";
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:USER_URL]];
[[NSURLConnection alloc] initWithRequest:request delegate:self];
...
stream_socket_enable_crypto($fp, false);
...
require 'net/http'
conn = Net::HTTP.new(URI("http://www.website.com/"))
in = conn.get('/index.html')
...
in, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.
val url = Uri.from(scheme = "http", host = "192.0.2.16", port = 80, path = "/")
val responseFuture: Future[HttpResponse] = Http().singleRequest(HttpRequest(uri = url))
responseFuture, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.
let USER_URL = "http://localhost:8080/igoat/user"
let request : NSMutableURLRequest = NSMutableURLRequest(URL:NSURL(string:USER_URL))
let conn : NSURLConnection = NSURLConnection(request:request, delegate:self)
...
using var channel = GrpcChannel.ForAddress("https://grpcserver.com", new GrpcChannelOptions {
Credentials = ChannelCredentials.Insecure
});
...
...
ManagedChannel channel = Grpc.newChannelBuilder("hostname", InsecureChannelCredentials.create()).build();
...
None. Data sent with insecure channel credential settings cannot be trusted.root_certificates parameter will be set to None, the value of the private_key parameter will be set to None, and the value of the certificate_chain parameter will be set to None.
...
channel_creds = grpc.ssl_channel_credentials()
...