C Sharp Hardcoded Insecure Keys
Description
Detects the use of hardcoded, insecure RSA cryptographic keys in C# code. This represents a security risk since hardcoded cryptographic parameters can be extracted from the application binary and potentially used to compromise the cryptographic security of the system.
Detection Strategy
• Check method calls that initialize RSA cryptographic operations
• Analyze if the RSA parameters (modulus, exponent) are specified as hardcoded values
• Flag as vulnerable if no arguments are provided to RSA initialization
• Flag as vulnerable if the arguments contain weak or insecure hardcoded values
Vulnerable code example
using System.Security.Cryptography;
class InsecureEncryption {
public void DemoCryptoVulnerabilities() {
// Vulnerable: Uses default/weak 1024-bit key size
var weakRsa = new RSACryptoServiceProvider();
// Vulnerable: Explicitly using insufficient 1024-bit key...✅ Secure code example
using System.Security.Cryptography;
class SecureEncryption {
public void DemoCryptoSecurity() {
// Secure: Uses strong 2048-bit key size (minimum recommended)
var strongRsa = new RSACryptoServiceProvider(2048);
// Secure: Using 2048-bit key with modern RSACng...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.