Java Hardcoded Salt Pbkdf2
Description
Detects when password-based encryption in Java uses hardcoded salt values instead of cryptographically secure random salts. This weakens the security of password hashing by making the salts predictable and reusable across different password hashes.
Detection Strategy
• Identifies instantiations of PBEKeySpec or PBEParameterSpec classes in Java code
• Checks if the salt parameter passed to these classes is hardcoded, either as a byte array literal or from a hardcoded string's getBytes() method
• Verifies the salt value is not derived from a secure random source or other dynamic generation method
• Reports a vulnerability when a hardcoded salt is used in password-based encryption implementations
Vulnerable code example
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.nio.charset.StandardCharsets;
public class Encryption {
public static String encryptData(String data, String password) {...✅ Secure code example
import javax.crypto.Cipher;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import android.util.Base64;
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.