C Sharp Weak Crypto Algorithm
Description
Detects the use of weak or insecure cryptographic mode configurations in C# code. This vulnerability could allow attackers to compromise the security of encrypted data by exploiting known weaknesses in certain crypto modes.
Detection Strategy
• Check variable assignments and member access expressions that configure cryptographic modes
• Compare the mode setting value against a list of known insecure cryptographic modes
• Flag instances where insecure modes like ECB (Electronic Code Book) are specified
• Analyze both direct mode assignments and variable references that set crypto modes
Vulnerable code example
using System.Security.Cryptography;
class CryptoExample {
public static void InsecureEncryption() {
// Vulnerable: Using CBC mode which is vulnerable to padding oracle attacks
AesManaged aes1 = new AesManaged {
KeySize = 128,
BlockSize = 128,...✅ Secure code example
using System.Security.Cryptography;
class CryptoExample {
public static void SecureEncryption() {
// Secure: Using AES-GCM which provides authenticated encryption
using (AesGcm aes1 = new AesGcm(key: new byte[32])) // 256-bit key for better security
{
// GCM mode provides both confidentiality and authenticity...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.