Java Hardcoded Salt Literal
Description
Detects hardcoded salt values in Java Password-Based Encryption (PBE) operations. Using static/hardcoded salt values significantly weakens the security of password hashing by making the hashes predictable and vulnerable to precomputed attacks.
Detection Strategy
• Identifies constructor calls to PBEKeySpec or PBEParameterSpec classes
• Examines the constructor arguments to check if the salt parameter is specified as a literal value instead of being randomly generated
• Reports a vulnerability when a hardcoded salt value is found in the constructor arguments
• Specifically focuses on the salt parameter position in the constructor signature (varies by class but is typically the second argument)
Vulnerable code example
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
public class VulnerableExample {
public static void main(String[] args) {
String password = "userPassword";
String salt = "MY_SALT"; // VULNERABLE: Using hardcoded salt instead of random salt
...✅ Secure code example
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.security.SecureRandom;
public class SecureExample {
public static void main(String[] args) {
String password = "userPassword";
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.