Dart Pointycastle Argon2 Hardcoded Salt
Description
The detector identifies hardcoded salt values in Dart applications using PointyCastle or Argon2 cryptographic libraries. Using hardcoded salts in password hashing or key derivation functions severely weakens security by making passwords vulnerable to rainbow table attacks and reducing the effectiveness of cryptographic operations.
Detection Strategy
• Scans Dart source code files that import PointyCastle (package:pointycastle) or Argon2 (package:argon2) cryptographic libraries
• Identifies method calls to salt-related functions in these cryptographic libraries
• Examines the second argument (salt parameter) of these cryptographic method calls
• Reports a vulnerability when the salt parameter is a hardcoded byte array or literal value instead of a dynamically generated random value
Vulnerable code example
import 'package:pointycastle/export.dart';
void hashPassword() {
final params = Argon2Parameters(
Argon2Parameters.ARGON2_id,
[0, 1, 2, 3, 4, 5, 6, 7], // Hardcoded salt creates identical hashes
desiredKeyLength: 32,
iterations: 3,...✅ Secure code example
import 'dart:math';
import 'dart:typed_data';
import 'package:pointycastle/export.dart';
void hashPassword() {
final random = Random.secure();
final salt = Uint8List.fromList(List<int>.generate(16, (_) => random.nextInt(256))); // Generate random salt using CSPRNG
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.