Artem Smotrakov artem-smotrakov
☘️
artem-smotrakov
/ TimingAttackAgainstSignature.ql
Created
August 15, 2021 14:25
CodeQL query for detecting timing attacks in Java code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoComparisonConfig conf | |
| where | |
| conf.hasFlowPath(source, sink) and | |
| ( | |
| source.getNode().(CryptoOperationSource).includesUserInput() and | |
| sink.getNode().(NonConstantTimeComparisonSink).includesUserInput() | |
| ) | |
| select sink.getNode(), source, sink, "Timing attack against $@ validation.", source, | |
| source.getNode().(CryptoOperationSource).getCall().getResultType() |
artem-smotrakov
/ NonConstantTimeCryptoComparisonConfig.ql
Created
August 15, 2021 14:24
A data flow tracking config for detecting timing attacks in Java code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class NonConstantTimeCryptoComparisonConfig extends TaintTracking::Configuration { | |
| NonConstantTimeCryptoComparisonConfig() { this = "NonConstantTimeCryptoComparisonConfig" } | |
| override predicate isSource(DataFlow::Node source) { source instanceof CryptoOperationSource } | |
| override predicate isSink(DataFlow::Node sink) { sink instanceof NonConstantTimeComparisonSink } | |
| } |
artem-smotrakov
/ PossibleTimingAttackAgainstSignature.ql
Created
August 15, 2021 14:23
CodeQL query for detecting possible timing attacks in Java applications
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoComparisonConfig conf | |
| where conf.hasFlowPath(source, sink) | |
| select sink.getNode(), source, sink, "Possible timing attack against $@ validation.", source, | |
| source.getNode().(CryptoOperationSource).getCall().getResultType() |
artem-smotrakov
/ SafeMACValidationExample.java
Created
August 15, 2021 14:22
Using constant-time algorithm for validating a MAC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public boolean validate(HttpRequest request, SecretKey key) throws Exception { | |
| byte[] message = getMessageFrom(request); | |
| byte[] signature = getSignatureFrom(request); | |
| Mac mac = Mac.getInstance("HmacSHA256"); | |
| mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256")); | |
| byte[] actual = mac.doFinal(message); | |
| return MessageDigest.isEqual(signature, actual); | |
| } |
artem-smotrakov
/ TimingAttackExample.java
Created
August 15, 2021 14:20
Possible timing attack against MAC validation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public boolean validate(HttpRequest request, SecretKey key) throws Exception { | |
| byte[] message = getMessageFrom(request); | |
| byte[] signature = getSignatureFrom(request); | |
| Mac mac = Mac.getInstance("HmacSHA256"); | |
| mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256")); | |
| byte[] actual = mac.doFinal(message); | |
| return Arrays.equals(signature, actual); | |
| } |
artem-smotrakov
/ UnsafeRmiObject.ql
Created
June 2, 2021 13:45
Taint-tracking configuration for unsafe RMI objects
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| private class BindingUnsafeRemoteObjectConfig extends TaintTracking::Configuration { | |
| BindingUnsafeRemoteObjectConfig() { this = "BindingUnsafeRemoteObjectConfig" } | |
| override predicate isSource(DataFlow::Node source) { | |
| exists(ConstructorCall cc | cc = source.asExpr() | | |
| hasVulnerableMethod(cc.getConstructedType().getASupertype*()) | |
| ) | |
| } | |
| override predicate isSink(DataFlow::Node sink) { |
artem-smotrakov
/ SaferRmiObject.java
Created
June 2, 2021 13:20
Example of a deserialization filter for an unsafe RMI object
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Server { | |
| public void bindRemoteObject(Registry registry) throws Exception { | |
| ObjectInputFilter filter = info -> { | |
| if (info.serialClass().getCanonicalName().startsWith("com.safe.package.")) { | |
| return ObjectInputFilter.Status.ALLOWED; | |
| } | |
| return ObjectInputFilter.Status.REJECTED; | |
| }; | |
| registry.bind("unsafe", UnicastRemoteObject.exportObject(new RemoteObjectImpl(), 12345, filter)); |
artem-smotrakov
/ UnsafeRmiObject.java
Last active
June 2, 2021 13:20
Example of a vulnerable RMI object
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public class Server { | |
| public void bindRemoteObject(Registry registry) throws Exception { | |
| registry.bind("unsafe", UnicastRemoteObject.exportObject(new RemoteObjectImpl())); | |
| } | |
| } | |
| interface RemoteObject extends Remote { | |
| // this remote method is vulnerable because it accepts a complex parameter | |
| void action(Object obj) throws RemoteException; |
artem-smotrakov
/ SaferExpressionEvaluationWithJuel.java
Last active
April 14, 2021 08:06
Restricting Jakarta EL expressions to avoid RCE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void handle(HttpRequest request) { | |
| if (request.hasParameter("questionToBackend")) { | |
| String input = request.getParameter("questionToBackend")); | |
| String pattern = "(inside|outside)\\.(temperature|humidity)"; | |
| if (!input.matches(pattern)) { | |
| throw new IllegalArgumentException("Unexpected expression"); | |
| } | |
| String expression = "${" + input + "}"; | |
| ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); | |
| ELContext context = new de.odysseus.el.util.SimpleContext(); |
artem-smotrakov
/ JakartaExpressionLanguageInjection.java
Created
April 14, 2021 07:47
Example of EL injection with JUEL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void handle(HttpRequest request) { | |
| if (request.hasParameter("questionToBackend")) { | |
| String expression = request.getParameter("questionToBackend")); | |
| ExpressionFactory factory = new de.odysseus.el.ExpressionFactoryImpl(); | |
| ELContext context = new de.odysseus.el.util.SimpleContext(); | |
| ValueExpression e = factory.createValueExpression(context, expression, Object.class); | |
| Object object = e.getValue(context); | |
| handleResult(object); | |
| } else { | |
| callNextHandler(request); |
NewerOlder