nimro97 / pv204_in_dr Goto Github PK
View Code? Open in Web Editor NEWRepository for PV204 course semestral project @ Faculty of Informatics, Masaryk University
License: MIT License
Repository for PV204 course semestral project @ Faculty of Informatics, Masaryk University
License: MIT License
Severity: critical
Risk: high/critical
Problem description: The application does not implement message integrity and replay checking and instead relies on encryption/decryption failing to detect message manipulation. While the fact that sessions are short and decryption is checked to mitigate the issue to some extent, it means that, for example, messages can be held from the card. We have successfully tired this with the functionality for storing data, where we can hold back the encrypted secret and simply report back that we have received the data properly as card (either by replaying the message a card sent previously or sending anything as only return code was checked here.
Additionally, as no message counters or unique data is included in every message, an attacker can observe traffic for identical messages, gaining additional knowledge about the communication.
Remediation: add message counter and hash to plaintext message with synchronization of counters and checking of hash on both ends. Example of new plaintext format: hash || counter || text.
Add these protections to plaintext so they cannot be easily modified.
Overall great work guys, really nice implementation
Hello all,
your project caught my attention during final presentations, and I really like the work you guys did. I checked the presentation and report again because I was interested in some project which utilized automata-based programming for java cards. Your presentation seems like you implemented this approach. However, I cannot find OOP automata-based source code in your applet. I found the statusVar
attribute, which can have a value of 0
, 15
, or 240
. Is your FSM implemented with assigning and checking values of this attribute, or are there anywhere defined states with transitions and allowed actions?
Thanks!
Severity: high - critical
Risk: high โ high chance of affecting legitimate users and causing disruption of service
Problem description: The application incorrectly reads the PIN value entered by the user as a byte array and does not check the amount of data read. As a result, the data can be incorrectly parsed and further processed, resulting in either a) need for repeated authentication or b) multiple PIN attempts deducted as a part of one attempt, possibly blocking the card unintentionally.
Remediation: either check the amount of read data or read string and parse it to an integer.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.