Javascript Hardcoded Hmac Key
Description
Detects hardcoded cryptographic keys used in HMAC operations within JavaScript code. Using hardcoded keys in cryptographic operations is a security risk as these keys can be extracted from source code, potentially compromising the integrity of HMAC signatures.
Detection Strategy
• Identifies calls to crypto.createHmac function in JavaScript code
• Checks if the key parameter passed to createHmac is a hardcoded value (like a string literal) rather than a variable or environmental configuration
• Reports a vulnerability when HMAC initialization uses a static, hardcoded key value
Vulnerable code example
const crypto = require('crypto');
// Insecure: Hardcoded secret key directly in code
const hmac = crypto.createHmac('sha256', '1234secretkey5678');
// Insecure: Using hardcoded constant as crypto key
const FIXED_KEY = 'myStaticSecretKey';
const hmac2 = crypto.createHmac('sha256', FIXED_KEY);✅ Secure code example
const crypto = require('crypto');
require('dotenv').config();
// Get secret key from environment variable instead of hardcoding
const hmac = crypto.createHmac('sha256', process.env.SECRET_KEY);
// Use environment variable for key storage
const dynamicKey = process.env.HMAC_KEY;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.