Typescript Weak Password Encoding Base64
Description
Detects when passwords are encoded using Base64 in TypeScript applications that connect to databases. Base64 encoding passwords is insecure since it's easily reversible and offers no cryptographic protection, potentially exposing credentials to attackers.
Detection Strategy
• Check if the code imports any of these database modules: mongodb, mysql2, pg (PostgreSQL), or redis
• Look for password-related variables or parameters that are encoded using Base64
• Report a vulnerability when a password field is encoded using Base64 methods instead of proper password hashing
Vulnerable code example
import express from "express";
import { MongoClient } from "mongodb";
const app = express();
app.use(express.json());
const client = new MongoClient("mongodb://localhost:27017");
async function main() {...✅ Secure code example
import express from "express";
import { MongoClient } from "mongodb";
import * as bcrypt from "bcrypt";
const app = express();
app.use(express.json());
const client = new MongoClient("mongodb://localhost:27017");
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.