Php Hardcoded Cryptographic Key
Description
Detects hardcoded cryptographic keys used in PHP encryption/decryption operations. This is a security risk because hardcoded keys in source code can be easily extracted by attackers, compromising the confidentiality of encrypted data. Keys should be stored securely in configuration files or key management systems.
Detection Strategy
• Identifies calls to PHP cryptographic functions 'openssl_encrypt' or 'openssl_decrypt'
• Examines the third parameter (key argument) of these functions
• Reports a vulnerability if the key parameter contains a hardcoded value like a string literal instead of a variable or configuration value
• Triggers on code patterns like: openssl_encrypt($data, 'aes-256-cbc', 'hardcoded-key-123')
Vulnerable code example
<?php
function encrypt($data, $iv) {
// UNSAFE: Hardcoded encryption key as literal in crypto function
return openssl_encrypt($data, 'AES-256-CBC', 'my_hardcoded_key', 0, $iv);
}
function decrypt($data, $iv) {
$key = 'another_secret_key'; // UNSAFE: Hardcoded key via variable...✅ Secure code example
<?php
function encrypt(string $data, string $iv): string {
$key = getenv('ENCRYPTION_KEY'); // SAFE: Get key from environment variable
if (!$key) {
throw new RuntimeException('Encryption key not configured');
}
return openssl_encrypt($data, 'AES-256-CBC', $key, 0, $iv);
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.