Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update MASWE-0023 (by @NowSecure) #3116

Merged
merged 7 commits into from
Jan 30, 2025
Merged

Update MASWE-0023 (by @NowSecure) #3116

merged 7 commits into from
Jan 30, 2025
+24 −10

Conversation

cpholguera
Copy link
Collaborator

@cpholguera cpholguera commented Jan 16, 2025
edited
Loading

  1. Changed PKCS#5 to PKCS#7 in Document/0x04g-Testing-Cryptography.md:

    • Corrected the reference from PKCS#5 to PKCS#7 which is the correct one.

  2. Refined the language in MASVS-CRYPTO/MASWE-0014:

    • Changed "Data Tampering" to "Loss of Integrity."
    • This aligns terminology used in other weaknesses, for consistency.

  3. Expanded on padding oracle attacks in MASWE-0023:

    • Enhanced the explanation by including the role of error messages and the importance of additional mitigations like HMAC or authenticated modes.
    • Added clarity on conditions for the attack:
      • Lack of message authentication.
      • Feedback mechanisms that create a "padding oracle."
    • Updated mitigations:
      • Highlighted the use of Encrypt-then-MAC (EtM) with AES-CBC if AES-GCM isn't feasible.
      • Reinforced that cryptographic errors (like padding or MAC errors) should never be exposed to users.

@cpholguera cpholguera requested a review from serek8 January 16, 2025 17:30
@sushi2k sushi2k self-requested a review January 17, 2025 08:41
serek8
serek8 suggested changes Jan 20, 2025
View reviewed changes
weaknesses/MASVS-CRYPTO/MASWE-0023.md Outdated Show resolved Hide resolved
@cpholguera @serek8
Fix PKCS#7 confusion
f84f8e5 
Co-authored-by: Jan Seredynski <[email protected]>
serek8
serek8 reviewed Jan 24, 2025
View reviewed changes
weaknesses/MASVS-CRYPTO/MASWE-0023.md Outdated Show resolved Hide resolved
weaknesses/MASVS-CRYPTO/MASWE-0023.md Outdated Show resolved Hide resolved
@cpholguera cpholguera requested a review from serek8 January 25, 2025 11:37
@cpholguera
Copy link
Collaborator Author

I fully agree with your comments, @serek8. Please review the new version of the content.

@cpholguera cpholguera merged commit e36a39b into master Jan 30, 2025
5 of 6 checks passed
@cpholguera cpholguera deleted the update-maswe-0023 branch January 30, 2025 07:24
@cpholguera cpholguera changed the title Update MASWE-0023 Update MASWE-0023 (by @NowSecure) Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@serek8 serek8 serek8 approved these changes

@sushi2k sushi2k Awaiting requested review from sushi2k

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpholguera @serek8