Php Insecure Openssl Cipher
Description
Detects the use of insecure cipher algorithms in PHP's OpenSSL encryption/decryption functions. Using weak or deprecated cipher algorithms can make encrypted data vulnerable to cryptographic attacks, potentially exposing sensitive information.
Detection Strategy
• Identifies calls to PHP functions 'openssl_encrypt' or 'openssl_decrypt'
• Examines the second parameter (cipher algorithm) of these functions
• Reports a vulnerability if a weak or deprecated cipher algorithm is specified
• Common insecure ciphers include DES, RC4, and other outdated encryption algorithms
Vulnerable code example
<?php
$data = "secret";
$key = "mykey123";
$iv = openssl_random_pseudo_bytes(8);
// Vulnerable: Using weak/deprecated cipher methods
$encrypted1 = openssl_encrypt($data, "aes-256-cbc", $key, OPENSSL_RAW_DATA, $iv);
$encrypted2 = openssl_encrypt($data, "bf-cfb", $key, OPENSSL_RAW_DATA, $iv); // Using weak Blowfish cipher in CFB mode...✅ Secure code example
<?php
$data = "secret";
// Use a proper key derivation function to generate a secure key
$key = hash_pbkdf2("sha256", "mykey123", random_bytes(16), 10000, 32, true);
// Use recommended cipher and proper IV length
$cipher = "aes-256-gcm"; // Using AES-GCM for authenticated encryption
$iv = random_bytes(openssl_cipher_iv_length($cipher)); // Proper IV length...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.