Add vulnerable Blowfish encryption method and update output format

OWASP · Feb 1, 2025 · e1c45c8 · e1c45c8
1 parent abb0dd9
commit e1c45c8
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 4 deletions.
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MastgTest.kt b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MastgTest.kt
@@ -9,6 +9,7 @@ import javax.crypto.spec.DESedeKeySpec
 import javax.crypto.spec.SecretKeySpec
 import android.util.Base64
 import java.security.SecureRandom
+import javax.crypto.SecretKey
 
 class MastgTest(private val context: Context) {
 
@@ -71,6 +72,26 @@ class MastgTest(private val context: Context) {
         }
     }
 
+    // Insecure encryption using Blowfish (weak algorithm)
+    fun vulnerableBlowfishEncryption(data: String): String {
+        return try {
+            // Weak key for Blowfish (insecure, small key size)
+            val keyBytes = ByteArray(8) // Only 8 bytes (64-bit key) - not secure
+            SecureRandom().nextBytes(keyBytes)
+            val secretKey: SecretKey = SecretKeySpec(keyBytes, "Blowfish")
+
+            // Weak encryption algorithm (Blowfish)
+            val cipher = Cipher.getInstance("Blowfish")
+            cipher.init(Cipher.ENCRYPT_MODE, secretKey)
+
+            val encryptedData = cipher.doFinal(data.toByteArray())
+            Base64.encodeToString(encryptedData, Base64.DEFAULT)
+        } catch (e: Exception) {
+            "Encryption error: ${e.message}"
+        }
+    }
+
+
     fun mastgTest(): String {
         val sensitiveString = "Hello from the OWASP MASTG Test app."
 
@@ -83,7 +104,10 @@ class MastgTest(private val context: Context) {
         // Encrypt with deprecated RC4
         val rc4EncryptedString = vulnerableRc4Encryption(sensitiveString)
 
+        // Encrypt with weak Blowfish
+        val blowfishEncryptedString = vulnerableBlowfishEncryption(sensitiveString)
+
         // Returning the encrypted results
-        return "DES Encrypted: $desEncryptedString\n3DES Encrypted: $tripleDesEncryptedString\nRC4 Encrypted: $rc4EncryptedString"
+        return "DES Encrypted: $desEncryptedString\n3DES Encrypted: $tripleDesEncryptedString\nRC4 Encrypted: $rc4EncryptedString\nBlowfish Encrypted: $blowfishEncryptedString"
     }
 }
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MastgTest_reversed.java b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/MastgTest_reversed.java
@@ -5,6 +5,7 @@
 import java.security.Key;
 import java.security.SecureRandom;
 import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.DESKeySpec;
 import javax.crypto.spec.DESedeKeySpec;
@@ -14,7 +15,7 @@
 import kotlin.text.Charsets;
 
 /* compiled from: MastgTest.kt */
-@Metadata(d1 = {"\u0000\u001a\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0005\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006J\u000e\u0010\u0007\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\t\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\n\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u000b"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "vulnerable3DesEncryption", "data", "vulnerableDesEncryption", "vulnerableRc4Encryption", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
+@Metadata(d1 = {"\u0000\u001a\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0006\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006J\u000e\u0010\u0007\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\t\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\n\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006J\u000e\u0010\u000b\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\f"}, d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "mastgTest", "", "vulnerable3DesEncryption", "data", "vulnerableBlowfishEncryption", "vulnerableDesEncryption", "vulnerableRc4Encryption", "app_debug"}, k = 1, mv = {1, 9, 0}, xi = 48)
 /* loaded from: classes4.dex */
 public final class MastgTest {
     public static final int $stable = 8;
@@ -90,10 +91,30 @@ public final String vulnerableRc4Encryption(String data) {
         }
     }
 
+    public final String vulnerableBlowfishEncryption(String data) {
+        Intrinsics.checkNotNullParameter(data, "data");
+        try {
+            byte[] keyBytes = new byte[8];
+            new SecureRandom().nextBytes(keyBytes);
+            SecretKey secretKey = new SecretKeySpec(keyBytes, "Blowfish");
+            Cipher cipher = Cipher.getInstance("Blowfish");
+            cipher.init(1, secretKey);
+            byte[] bytes = data.getBytes(Charsets.UTF_8);
+            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
+            byte[] encryptedData = cipher.doFinal(bytes);
+            String encodeToString = Base64.encodeToString(encryptedData, 0);
+            Intrinsics.checkNotNull(encodeToString);
+            return encodeToString;
+        } catch (Exception e) {
+            return "Encryption error: " + e.getMessage();
+        }
+    }
+
     public final String mastgTest() {
         String desEncryptedString = vulnerableDesEncryption("Hello from the OWASP MASTG Test app.");
         String tripleDesEncryptedString = vulnerable3DesEncryption("Hello from the OWASP MASTG Test app.");
         String rc4EncryptedString = vulnerableRc4Encryption("Hello from the OWASP MASTG Test app.");
-        return "DES Encrypted: " + desEncryptedString + "\n3DES Encrypted: " + tripleDesEncryptedString + "\nRC4 Encrypted: " + rc4EncryptedString;
+        String blowfishEncryptedString = vulnerableBlowfishEncryption("Hello from the OWASP MASTG Test app.");
+        return "DES Encrypted: " + desEncryptedString + "\n3DES Encrypted: " + tripleDesEncryptedString + "\nRC4 Encrypted: " + rc4EncryptedString + "\nBlowfish Encrypted: " + blowfishEncryptedString;
     }
 }
diff --git a/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/output.txt b/demos/android/MASVS-CRYPTO/MASTG-DEMO-0022/output.txt
@@ -0,0 +1,17 @@
+
+
+┌─────────────────┐
+│ 4 Code Findings │
+└─────────────────┘
+
+    MastgTest_reversed.java
+    ❯❱ [1mrules.weak-encryption-algorithms[0m
+          [MASVS-CRYPTO-1] Weak encryption algorithms found in use.
+
+           39┆ Cipher cipher = Cipher.getInstance("DES");
+            ⋮┆----------------------------------------
+           62┆ Cipher cipher = Cipher.getInstance("DESede");
+            ⋮┆----------------------------------------
+           81┆ Cipher cipher = Cipher.getInstance("RC4");
+            ⋮┆----------------------------------------
+          100┆ Cipher cipher = Cipher.getInstance("Blowfish");
diff --git a/rules/mastg-android-weak-encryption-algorithms.yaml b/rules/mastg-android-weak-encryption-algorithms.yaml
@@ -4,9 +4,10 @@ rules:
       - java
     severity: WARNING
     metadata:
-      summary: This rule looks for weak encryption algorithms such as DES, 3DES or RC4.
+      summary: This rule looks for weak encryption algorithms.
     message: "[MASVS-CRYPTO-1] Weak encryption algorithms found in use."
     pattern-either:
       - pattern: Cipher.getInstance("DES")
       - pattern: Cipher.getInstance("DESede")
       - pattern: Cipher.getInstance("RC4")
+      - pattern: Cipher.getInstance("Blowfish")