md5
BAN-B303Use of insecure MD2, MD4, MD5, or SHA1 hash functions should be avoided. Using more secure algorithms like SHA256 or SHA512.
Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.
Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.
Cipher used is not secure. It is recommended to replace with a known secure cipher such as AES.
Use of insecure cipher mode such as ECB
is not recommended for use in cryptographic protocols at all. In case of ECB
, it encrypts identical plaintext blocks into identical ciphertext blocks; and does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality.
D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to collision attacks. Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
expatreader
method BAN-B315Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml
equivalents.
pycryptodome
library imported BAN-B414pycryptodome is a direct fork of pycrypto that has not fully addressed the issues inherent in PyCrypto. It seems to exist, mainly, as an API compatible continuation of pycrypto and should be deprecated in favor of pyca/cryptography which has more support among the Python community.
Spawning of a subprocess in a way that doesn't use a shell is generally safe, but it maybe useful for penetration testing workflows to track where external system calls are used.
eval
PYL-W0123Use of possibly insecure function - consider using safer ast.literal_eval
. Read more on why should eval
be avoided here.
Running a Django application with debug mode enabled may allow an attacker to gain access to sensitive information. Ensure that Django applications that are run in a production environment have DEBUG
set to False
.
lxml
import detected BAN-B410Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
lxml.etree
BAN-B320Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml
equivalents.
exec
PYL-W0122Usage of exec
function is strongly discouraged, since it opens up possibilities of unauthorized code execution if the statements are not escaped properly. Read more on why should exec
be avoided here.
FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.
xmlrpclib
import detected BAN-B411XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defused.xmlrpc.monkey_patch()
function to monkey-patch xmlrpclib and mitigate remote XML attacks.
xml.dom.pulldom
detected BAN-B319Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml
equivalents.
xml.dom.minidom
detected BAN-B318Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml
equivalents.
Spawning of a subprocess using a command shell is dangerous as it is vulnerable to various shell injection attacks. Great care should be taken to sanitize all input in order to mitigate this risk. Calls of this type are identified by the use of certain commands which are known to use shells.
Libraries like crypto
and pycrypto
are no longer actively maintained and has been deprecated in favor of pyca/cryptography library. pycrypto
library is also known to have publicly disclosed buffer overflow vulnerability.