C Sharp Hardcoded Encryption Key
Description
Identifies instances where encryption/decryption operations in C# code use hardcoded keys or credentials specified in plaintext. This represents a security risk since hardcoded encryption keys can be extracted from the application code, potentially compromising the encrypted data.
Detection Strategy
• Looks for method calls named 'decrypt' in C# code
• Checks if the decrypt method's arguments contain plaintext credentials or keys
• Verifies if the decrypt operation uses cryptography libraries
• Reports a vulnerability when decrypt operations are found using hardcoded/plaintext keys
Vulnerable code example
using System;
class CryptoUtil {
public string DecryptData(string data) {
// Vulnerability: Hardcoded cryptographic key/salt
string hardcodedKey = GetHash("bGZkYjIwMTgq");
return Decrypt(data, hardcodedKey);
}...✅ Secure code example
using System;
class CryptoUtil {
public string DecryptData(string data, string keyFromConfig) {
// Safe: Key is passed as parameter from secure configuration
if (string.IsNullOrEmpty(keyFromConfig)) {
throw new ArgumentException("Encryption key cannot be null or empty");
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.