Javascript Weak Password Encoding Base64
Description
Detects when passwords are weakly protected using Base64 encoding in JavaScript applications that connect to databases or caching systems. Base64 encoding is a reversible transformation that provides no cryptographic security, making passwords easily recoverable if compromised.
Detection Strategy
• Check if the JavaScript code imports database/cache modules (mongodb, mysql2, pg, redis)
• Look for password-related variables or parameters that are encoded using Base64
• Report a vulnerability when Base64-encoded passwords are used in database or caching operations
• Only triggers on code that combines database connectivity with Base64 password encoding
Vulnerable code example
const express = require('express');
const { MongoClient } = require('mongodb');
const app = express();
app.use(express.json());
const client = new MongoClient('mongodb://localhost:27017');
...✅ Secure code example
const express = require('express');
const { MongoClient } = require('mongodb');
const bcrypt = require('bcrypt');
const app = express();
app.use(express.json());
const client = new MongoClient('mongodb://localhost:27017');...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.