Category Archives: Security

[Solved] Fortify Issue “Log Forging” and “Cross Site Script Injection” in log file


To fix fortify scan “Log Forging” or “Cross Site Script Injection” issue need to remove script tag before printing log message in console or log file.

Why?

If logs statement having script tag then open these logs over browser like kibana while analysis. The script or content inside the script tag can execute that cause “cross-site script injections”.

Solutions

Call this lines of code which below uses a regular expression to identify valid script tags and removes them from the message while leaving the script code between the starting and end tags.

Remove script tag from log string message

[Solved] javax.crypto.AEADBadTagException: Tag mismatch


AEADBadTagException is subclass of BadPaddingException. It’s occurred when a Cipher unable to verify the authentication tag. It’s occurred when Cipher is AEAD i.e GCM/CCM mode.

public class AEADBadTagException extends BadPaddingException

Constructor

  • AEADBadTagException(): Constructs a default constructor of AEADBadTagException with no detail message.
  • AEADBadTagException(String msg): Constructs a message constructor of AEADBadTagException with the specified detail message.

Exception

Here is a complete example of encryption and decryption based on algorithm AES/GCM/NoPadding but having an issue because of IV value which is used for authentication.

import java.security.SecureRandom;
import java.util.Base64;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span>
/**
* example for plain text encryption and decryption by using Java AES 256 GCM Encryption Algorithm
*/
public class AES_GCM_Example
{
        static String plainText = "facing Issues on IT  (Learn from Others Experience)";
           public static final int AES_KEY_SIZE = 256;
           public static final int GCM_IV_LENGTH = 12;
           public static final int GCM_TAG_LENGTH = 16;

           public static void main(String[] args) throws Exception
           {
               KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
               keyGenerator.init(AES_KEY_SIZE);

               // Generate Key
               SecretKey key = keyGenerator.generateKey();

               byte[] IV = new byte[GCM_IV_LENGTH];
               SecureRandom random = new SecureRandom();
               random.nextBytes(IV);

               System.out.println("Original Text : " + plainText);

               byte[] cipherText = encrypt(plainText.getBytes(), key, IV);
               System.out.println("Encrypted Text : " + Base64.getEncoder().encodeToString(cipherText));

               String decryptedText = decrypt(cipherText, key, IV);
               System.out.println("DeCrypted Text : " + decryptedText);
           }

           public static byte[] encrypt(byte[] plaintext, SecretKey key, byte[] IV) throws Exception
           {
               // Get Cipher Instance for selected algorithm
               Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

               // Create SecretKeySpec for key
               SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), "AES");

               // Create GCMParameterSpec for key
               GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, IV);

               // Initialize Cipher for ENCRYPT_MODE for encrypt plaintext
               cipher.init(Cipher.ENCRYPT_MODE, keySpec, gcmParameterSpec);

               // Perform Encryption
               byte[] cipherText = cipher.doFinal(plaintext);

               return cipherText;
           }

           public static String decrypt(byte[] cipherText, SecretKey key, byte[] IV) throws Exception
           {
               // Get Cipher Instance based on selective AES algorithm
               Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");

               // Create SecretKeySpec for key
               SecretKeySpec keySpec = new SecretKeySpec(key.getEncoded(), "AES");

               // Create GCMParameterSpec for key
               //IV = new byte[GCM_IV_LENGTH]; //here is issue

               GCMParameterSpec gcmParameterSpec = new GCMParameterSpec(GCM_TAG_LENGTH * 8, IV);

               // Initialize Cipher for DECRYPT_MODE to in plain text
               cipher.init(Cipher.DECRYPT_MODE, keySpec, gcmParameterSpec);

               // Perform Decryption on encrypted text
               byte[] decryptedText = cipher.doFinal(cipherText);

               return new String(decryptedText);
           }

       }

Output


Original Text : facing Issues on IT  (Learn from Others Experience)
Encrypted Text : AxboQXVKKPMm05cRaslMuxDl8IK77OLgG2ddnVSKzQUVQEXL/Xic+OHN/8ixbrFbvSrytStUWBsYQyXIWLQB22+0sg==
Exception in thread "main" javax.crypto.AEADBadTagException: Tag mismatch!
       at com.sun.crypto.provider.GaloisCounterMode.decryptFinal(GaloisCounterMode.java:524)
       at com.sun.crypto.provider.CipherCore.finalNoPadding(CipherCore.java:1023)
       at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:960)
       at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824)
       at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:436)
       at javax.crypto.Cipher.doFinal(Cipher.java:2121)
       at enc_dec.AES_GCM_Example.decrypt(AES_GCM_Example.java:84)
       at enc_dec.AES_GCM_Example.main(AES_GCM_Example.java:41)

Solution

Here is an issue on decryption while changing the value of IV as in line by creating new byte array which is different from the value passed in encryption that’s why encryption and decryption authentication get failed.

As a solution specific this issue comment line 68 and it will return output as below.


Original Text : facing Issues on IT  (Learn from Others Experience)
Encrypted Text : faSkDrA737VyiocRk1n5arFGaO5r7GDN6xFmz7hjZppkN0y8sgcj9N5iqaZ2+gbRowli5Ocfm1sQB2qL+nEVIzsWVg==
DeCrypted Text : facing Issues on IT  (Learn from Others Experience)

References

Java 8: Base64 Encoding and Decoding


In Java 8 added new class Base64 for encryption and decryption. It supports three types encoding and decoding:

  • Simple
  • URL
  • MIME

Note: Passing a null argument to a method of this class will cause a NullPointerException to be thrown.

Simple

Uses “The Base64 Alphabets” lying in A-Za-z0-9+/ for encoding and decoding. The encoder does not add any line feed/line separate character in output and decoder rejects all characters out of the Base 64 alphabet.

Example: Simple Encoding and Decoding

import java.nio.charset.StandardCharsets;
import java.util.Base64;

public class Base64s {

	public static void main(String[] args) {
    final String text = "Facing Issues On IT in Java 8!";

        final String encoded = Base64.getEncoder().encodeToString( text.getBytes( StandardCharsets.UTF_8 ) );
        System.out.println("After Encoding:"+ encoded );

        final String decoded = new String(Base64.getDecoder().decode( encoded ),StandardCharsets.UTF_8 );
        System.out.println("After Decoding:"+ decoded );
	}
}

Output


After Encoding:RmFjaW5nIElzc3VlcyBPbiBJVCBpbiBKYXZhIDgh
After Decoding:Facing Issues On IT in Java 8!

URL

Uses “URL and Filename safe Base64 Alphabet” lying in A-Za-z0-9+_ for encoding and decoding. The encoder does not add any line feed/line separater character in output and decoder rejects all characters out of the Base 64 alphabet.

Example: URL Encoding and Decoding

import java.util.Base64;

public class Base64URLExample {

	public static void main(String[] args) {
		String originalUrl = "https://www.google.co.in/?gfe_rd=cr&ei=dzbFV&gws_rd=ssl#q=java";
		String encodedUrl = Base64.getUrlEncoder().encodeToString(originalUrl.getBytes());
		System.out.println("After Encoding:"+ encodedUrl );

		byte[] decodedBytes = Base64.getUrlDecoder().decode(encodedUrl);
		String decodedUrl = new String(decodedBytes);
		System.out.println("After Decoding:"+ decodedUrl );
	}

}

Output


After Encoding:aHR0cHM6Ly93d3cuZ29vZ2xlLmNvLmluLz9nZmVfcmQ9Y3ImZWk9ZHpiRlYmZ3dzX3JkPXNzbCNxPWphdmE=
After Decoding:https://www.google.co.in/?gfe_rd=cr&ei=dzbFV&gws_rd=ssl#q=java

MIME

Uses “The Base64 Alphabet” lying in lying in A-Za-z0-9+/ for encoding and decoding. The encoded output must be represented in lines of no more than 76 characters each and uses a carriage return ‘\r’ followed immediately by a linefeed ‘\n’ as the line separator. No line separator is added to the end of the encoded output. All line separators or other characters not found in the base64 alphabet table are ignored in decoding operation.

Example: MIME Encoding and Decoding

import java.io.UnsupportedEncodingException;
import java.util.Base64;
import java.util.UUID;

public class Base64Mime {

	public static void main(String[] args) {

		try {
			StringBuilder stringBuilder = new StringBuilder();
			// Lets generate some mime input to encode
			for (int i = 0; i < 10; ++i) {
				stringBuilder.append(UUID.randomUUID().toString());
			}

			byte[] mimeBytes = stringBuilder.toString().getBytes("utf-8");
			String mimeEncodedString = Base64.getMimeEncoder().encodeToString(mimeBytes);
			System.out.println("Base64 Encoded String (MIME) :" + mimeEncodedString);

			byte[] decodedBytes = Base64.getMimeDecoder().decode(mimeEncodedString);
			String decodedMime = new String(decodedBytes);
			System.out.println("Base64 Decoded String (MIME) :" + decodedMime);

		} catch (UnsupportedEncodingException e) {
			System.out.println("Error :" + e.getMessage());
		}
	}

}

Output


Base64 Encoded String (MIME) :YWY1MWRkMDAtNjg0MC00MDE4LTk5YWYtMDE4NTFhYmZkYzA3M2Q0MjU1YjMtNDFiOS00ZmZmLTky
NjktYzc5YjU2Mzg4OGMyM2IzZTAyN2QtNzhkMC00YzRiLTg3MzgtZWFiMmI3OTdlNmVlMzdmYzQ3
ZDItYmI2Zi00NmVjLThlYTQtOWUwYWJlODA0M2IwN2I1NzIxNjUtNzJjZC00ODhmLWJkMWUtOWVl
NGI3YTc5M2NmZjczMjU1MDItMzIyNC00Mjc1LWI2MjQtNTcxZTU3ZmZkZjVhNTdiMmM4NTgtMzFi
Yi00ZjNlLWI5MWYtZWJkNjc5ODlkOTA2NDQ4MDZiZDQtOWM4Zi00NjJlLWI1ZWUtODZiNWM0MTJm
MmVjM2JmMjFjMDAtNjUwYi00ZjE0LWI5ZTUtOTY2YjE2NjUzMWQxMGJhYTIzMTAtOTFmMy00OGYz
LTg1ZTgtZmU3OTEyMjNhODc3
Base64 Decoded String (MIME) :af51dd00-6840-4018-99af-01851abfdc073d4255b3-41b9-4fff-9269-c79b563888c23b3e027d-78d0-4c4b-8738-eab2b797e6ee37fc47d2-bb6f-46ec-8ea4-9e0abe8043b07b572165-72cd-488f-bd1e-9ee4b7a793cff7325502-3224-4275-b624-571e57ffdf5a57b2c858-31bb-4f3e-b91f-ebd67989d90644806bd4-9c8f-462e-b5ee-86b5c412f2ec3bf21c00-650b-4f14-b9e5-966b166531d10baa2310-91f3-48f3-85e8-fe791223a877

References

[Solved] javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher


Generally this exception happen while having some encrypted character which where used for URL parameter encryption.

Exception in thread "main" javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:936)
	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:847)
	at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
	at javax.crypto.Cipher.doFinal(Cipher.java:2165)
	at security.EncryptionDecryptionURLParam.main(EncryptionDecryptionURLParam.java:51)

Solution :

Use below line of statements. Follow example below for more detail.

Not Use :

 byte[] decryptedPassword = cipher.doFinal(decodeStr.getBytes());

Use:

byte[] base64decodedTokenArr = Base64.decodeBase64(decodeStr.getBytes());
byte[] decryptedPassword = cipher.doFinal(base64decodedTokenArr);

Example :

Issues Solution

For more other JAVA/JDBC issues solution follow link JAVA/JDBC Issues.

[Solved] Exception java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/ECB/PKCS7Padding


Java 8 doesn’t support provider “AES/ECB/PKCS7Padding” .

Exception :

Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting AES/ECB/PKCS7Padding
	at javax.crypto.Cipher.getInstance(Cipher.java:540)
	at security.EncryptionDecryptionURLParam.main(EncryptionDecryptionURLParam.java:31)

Solution :

Java 8 doesn’t support provider “AES/ECB/PKCS7Padding” use provider as “AES/ECB/PKCS5Padding” as used in given example for Encryption and Decryption.

Examples:

 

Issues Solution

For more other JAVA/JDBC issues solution follow link JAVA/JDBC Issues.

How to do Encryption and Decryption for plain text/password in JAVA


Java code for Encryption and Decryption of plain text. In below code encrypting plain text encrypted by using Key by algorithm “AES/ECB/PKCS5Padding“ and Decryption again in plain text.

Pre-Requisite :

  • Java 7 or 8
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
public class EncryptionDecryption {

	public static void main(String[] args) throws Exception {
	    byte[] input = "facingissuesonit.com".getBytes();
	    byte[] keyBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
	        0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };

	    SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");

	    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");

	    System.out.println(new String(input));

	    // Encryption pass
	    cipher.init(Cipher.ENCRYPT_MODE, key);

	    byte[] cipherText = new byte[cipher.getOutputSize(input.length)];
	    int ctLength = cipher.update(input, 0, input.length, cipherText, 0);
	    ctLength += cipher.doFinal(cipherText, ctLength);
	    System.out.println(new String(cipherText));
	    System.out.println(ctLength);

	    // Decryption pass
	    cipher.init(Cipher.DECRYPT_MODE, key);
	    byte[] plainText = new byte[cipher.getOutputSize(ctLength)];
	    int ptLength = cipher.update(cipherText, 0, ctLength, plainText, 0);
	    ptLength += cipher.doFinal(plainText, ptLength);
	    System.out.println(new String(plainText));
	    System.out.println(ptLength);
	  }

}

More Sample Code

For more JAVA and JDBC codes follow below links

 

JAVA Encryption and Decryption of URL Parameter


Java code for Encryption and Decryption of URL parameters.  In below code encrypting parameter as passed as token which is having (Fixed Text + Time stamp and Session ID) and encrypted by using Key by algorithm “AES/ECB/PKCS5Padding“.

Pre-requisite :

  • JAVA 8
  • Common-Codec-1.8.jar
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.text.SimpleDateFormat;
import java.util.Date;

import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;
public class EncryptionDecryptionURLParam {
	public static final String FORMAT = "yyyy-MM-dd'T'HH:mm:ssZ";
	public static void main(String[] args) throws Exception {
		 SimpleDateFormat sdf = new SimpleDateFormat(FORMAT);
	     String timestamp = sdf.format(new Date());

	     String constantValue="FacingIssuesOnIT";
	     String sessionId="ABCDEFGHIJKLMNOPQRSTUVWXYZ";

		 String tokenStr = constantValue+"$"+timestamp+"/06$"+sessionId;

		 System.out.println(tokenStr);

	    byte[] keyBytes = new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
	        0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f };

	    Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");

	    SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");

	    // encryption url
	    cipher.init(Cipher.ENCRYPT_MODE, key);

	    byte[] cipherText = cipher.doFinal(tokenStr.getBytes());
        System.out.println("encrypted token size:" + cipherText.length);
        //Encode Character which are not allowed on URL
        String encodedTxt = Base64.encodeBase64URLSafeString(cipherText);

        System.out.println("EncodedEncryptedToken : " + encodedTxt);

	    //decryption url
        cipher.init(Cipher.DECRYPT_MODE, key);
        String decodeStr = URLDecoder.decode(
        		encodedTxt,
        StandardCharsets.UTF_8.toString());
        System.out.println("URL Decoder String :"+decodeStr);
        //Decode URl safe to base 64
        byte[] base64decodedTokenArr = Base64.decodeBase64(decodeStr.getBytes());

       byte[] decryptedPassword = cipher.doFinal(base64decodedTokenArr);
        //byte[] decryptedPassword = cipher.doFinal(decodeStr.getBytes());
       String  decodeTxt=new String(decryptedPassword);
       System.out.println("Token after decryption: " + decodeTxt);

	  }

}
 

More Sample Code

For more JAVA and JDBC codes follow below links