Typescript Insecure Deprecated Encryption
Description
This detector identifies the use of deprecated or insecure encryption algorithms and methods in TypeScript code. Using outdated encryption approaches can expose applications to cryptographic vulnerabilities, as these algorithms may have known weaknesses or insufficient security for modern threats.
Detection Strategy
• Scans TypeScript source code for function calls and method invocations related to cryptographic operations
• Detects insecure encryption libraries or modules being imported and used in the codebase
• Flags hardcoded encryption keys or initialization vectors that compromise security
• Reports instances where deprecated cryptographic APIs from Node.js crypto module or third-party libraries are being called
Vulnerable code example
import * as crypto from 'crypto';
// VULNERABLE: createCipher uses weak key derivation
const cipher = crypto.createCipher('aes-256-gcm', 'my-secret');
// VULNERABLE: createDecipher also deprecated for same reason
const decipher = crypto.createDecipher('aes-256-gcm', 'password');✅ Secure code example
import * as crypto from 'crypto';
// SECURE: Use createCipheriv with explicit key derivation and IV
const key = crypto.scryptSync('my-secret', 'salt', 32); // Proper key derivation
const iv = crypto.randomBytes(12); // GCM needs 12-byte IV
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
// SECURE: Use createDecipheriv with same key derivation...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.