logo

Database

Config Files Weak Encryption Method Algorithm

Description

Detects the use of cryptographically weak encryption algorithms (Triple DES CBC and RSA-1.5) in XML configuration files. These legacy algorithms have known security vulnerabilities and their use could lead to potential decryption of sensitive data by attackers.

Weakness:

264 - Insecure encryption algorithm - TripleDES

Category: Information Collection

Detection Strategy

    Scans XML configuration files for <EncryptionMethod> tags within <EncryptedData> sections

    Checks if the algorithm attribute contains vulnerable encryption methods: Triple DES CBC (xmlenc#tripledes-cbc) or RSA-1.5 (xmlenc#rsa-1_5)

    Reports a vulnerability when a weak encryption algorithm is found, including the exact line and column location in the file

Vulnerable code example

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <connectionStrings>
    <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" /> <!-- Vulnerable: Uses weak Triple DES encryption -->
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey>
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <!-- Vulnerable: Uses RSA PKCS#1 v1.5 prone to padding attacks -->...

✅ Secure code example

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <connectionStrings configProtectionProvider="RsaProtectedConfigurationProviderSecure">
    <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#">
      <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <!-- Using AES-256 instead of weak Triple DES -->
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <EncryptedKey>
          <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p" /> <!-- Using RSA-OAEP instead of vulnerable PKCS#1 v1.5 -->...