Typescript Insecure Use Of Cbc Mode
Description
Detects insecure usage of CBC (Cipher Block Chaining) mode in CryptoJS library implementations. CBC mode without proper authentication can be vulnerable to padding oracle attacks and chosen-ciphertext attacks, potentially allowing attackers to decrypt encrypted data.
Weakness:
094 - Insecure encryption algorithm - Cipher Block Chaining
Category: Information Collection
Detection Strategy
• Checks if the source code imports the 'crypto-js' library
• Identifies usage of CryptoJS encryption operations
• Specifically looks for CBC mode being used in encryption configurations
• Reports a vulnerability when CBC mode is detected in CryptoJS encryption operations without additional security controls
Vulnerable code example
import * as CryptoJS from 'crypto-js';
function encrypt(data: string, key: string): string {
const iv = CryptoJS.lib.WordArray.random(16);
// VULNERABLE: Using CBC mode which is vulnerable to padding oracle attacks
const encrypted = CryptoJS.AES.encrypt(data, key, {
mode: CryptoJS.mode.CBC,...✅ Secure code example
import { createCipheriv, randomBytes } from 'crypto';
function encrypt(data: string, key: string): string {
// Generate random IV for each encryption
const iv = randomBytes(12); // 96 bits is recommended for GCM
// Use AES-GCM mode which provides authenticated encryption
const cipher = createCipheriv('aes-256-gcm', Buffer.from(key, 'hex'), iv);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.