Dart Hardcoded Salt In Pbkdf2
Description
Detects when PBKDF2 cryptographic hashing is implemented with a hardcoded salt value in Dart code. Using a hardcoded salt instead of a random one eliminates a critical security feature of password hashing, making password cracking easier through rainbow table attacks.
Detection Strategy
• Identifies constructor calls to Pbkdf2Parameters in Dart code
• Examines the salt parameter passed to the Pbkdf2Parameters constructor
• Reports a vulnerability if the salt value is a literal (hardcoded) value instead of being generated dynamically
• Triggers on code patterns like: new Pbkdf2Parameters(salt: [1, 2, 3], ...)
Vulnerable code example
import 'dart:convert';
const String UNSAFE_SALT = 'STATIC_SALT_1234'; // Vulnerability: Hardcoded salt removes protection against rainbow tables
String deriveKey(String password) {
var keyDerivator = PBKDF2KeyDerivator(HMac(SHA1Digest(), 64));
keyDerivator.init(Pbkdf2Parameters(UNSAFE_SALT, 1000, 32));
return keyDerivator.process(utf8.encode(password));...✅ Secure code example
import 'dart:convert';
import 'dart:typed_data';
import 'dart:math';
const int _iterations = 10000; // Increased iterations for better security
const int _keyLength = 32;
const int _saltLength = 16;
const int _blockLength = 64;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.