Java Weak Crypto Algorithms
Description
Detects usage of cryptographically weak or insecure password encoders in Spring Security framework. These deprecated password encoders like MD5, SHA-1, and NoOp use outdated hashing algorithms or no hashing at all, making stored passwords vulnerable to cracking or reversal attacks.
Detection Strategy
• Check for instantiation or usage of deprecated Spring Security password encoders including: ShaPasswordEncoder, Md5PasswordEncoder, LdapShaPasswordEncoder, Md4PasswordEncoder, MessageDigestPasswordEncoder, NoOpPasswordEncoder, StandardPasswordEncoder, and SCryptPasswordEncoder
• These classes must be from the org.springframework.security.* package paths
• Report a vulnerability when any of these insecure password encoder classes are referenced in the code
• Modern alternatives like BCryptPasswordEncoder, Pbkdf2PasswordEncoder or Argon2PasswordEncoder should be used instead
Vulnerable code example
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
public class InsecureCrypto {
public void vulnerableMethod() throws Exception {
// Vulnerable: Uses weak DES encryption algorithm...✅ Secure code example
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.KeyGenerator;
import javax.crypto.spec.GCMParameterSpec;
import java.security.MessageDigest;
import java.security.SecureRandom;
public class SecureCrypto {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.