Typescript Kony Hardcoded Encryption Key

Description

Detects hardcoded encryption keys in Kony application code. When encryption keys are hardcoded in source code rather than securely stored and retrieved at runtime, attackers can extract these keys by analyzing the code, potentially compromising encrypted data. This violates secure key management practices.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

• Identifies calls to specific encryption methods in TypeScript/JavaScript code

• Examines the second parameter (index 1) of these encryption method calls

• Checks if the encryption key parameter is a hardcoded value (like a string literal) instead of a variable or runtime value

• Reports a vulnerability when an encryption method is called with a hardcoded key value

Vulnerable code example

// Demonstrates insecure usage of hardcoded encryption keys
const secretKey = "mySuperSecretKey123";  // Vulnerable: Encryption key hardcoded in source code

const encryptedData = kony.crypto.encrypt(
    "aes",
    secretKey,  // Security risk: Using hardcoded key for encryption
    "sensitive_data"
);

✅ Secure code example

// Use secure key generation or retrieval from secure storage
const secureKey = kony.crypto.newKey("aes", 256);  // Safe: Dynamically generated key using crypto API

const encryptedData = kony.crypto.encrypt(
    "aes",
    secureKey,  // Safe: Using dynamically generated key instead of hardcoded value
    "sensitive_data"
);...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.