Php Hardcoded Cryptographic Iv
Description
Detects when cryptographic operations in PHP use hardcoded initialization vectors (IVs) with the phpseclib3/Crypt/AES library. Using hardcoded IVs significantly weakens encryption security since IVs should be randomly generated for each encryption operation to ensure uniqueness and prevent pattern analysis attacks.
Detection Strategy
• Checks if the phpseclib3/Crypt/AES library is imported in the code
• Identifies encrypt/decrypt method calls on AES cipher objects
• Verifies if the IV value was set using a hardcoded value rather than a randomly generated one
• Reports a vulnerability when a hardcoded IV is used with AES encryption/decryption operations
Vulnerable code example
<?php
use phpseclib3\Crypt\AES;
function encryptData($data) {
$cipher = new AES('cbc');
$cipher->setKey(random_bytes(32));
$cipher->setIV('1234567890123456'); // VULNERABLE: Hardcoded IV compromises security
return $cipher->encrypt($data);...✅ Secure code example
<?php
use phpseclib3\Crypt\AES;
function encryptData($data) {
$cipher = new AES('cbc');
$cipher->setKey(random_bytes(32)); // Secure random key
$cipher->setIV(random_bytes(16)); // Secure random IV instead of hardcoded value
return $cipher->encrypt($data);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.