Javascript Hardcoded Key Material Used
Description
Detects hardcoded cryptographic keys and credentials in JavaScript code using the CryptoJS library. This represents a security risk since embedding sensitive cryptographic material directly in source code makes it accessible to attackers who can extract the keys to decrypt sensitive data.
Detection Strategy
• Scans JavaScript source files for CryptoJS library usage and cryptographic operations
• Identifies hardcoded string values passed as keys or initialization vectors to crypto functions
• Reports instances where cryptographic keys are directly embedded in the code instead of being retrieved from secure configuration
• Checks crypto operation calls like AES encryption/decryption for hardcoded key material
Vulnerable code example
import * as CryptoJS from "crypto-js";
function encodeSecretData(data) {
// Unsafe: Using weak encoding methods that don't provide cryptographic security
const encoded1 = CryptoJS.enc.Utf16LE.parse("secret123");
const encoded2 = CryptoJS.enc.Latin1.parse("password");
const encoded3 = CryptoJS.enc.Utf8.parse("api_key");
return encoded1;...✅ Secure code example
import * as CryptoJS from "crypto-js";
function encodeSecretData(data) {
// Safe: Using strong AES encryption with random key/IV instead of basic encoding
const key = CryptoJS.lib.WordArray.random(32); // Generate secure random 256-bit key
const encrypted = CryptoJS.AES.encrypt(data, key, {
mode: CryptoJS.mode.CBC,
padding: CryptoJS.pad.Pkcs7...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.