Javascript Insecure Deprecated Encryption
Description
Detects the use of deprecated or insecure encryption algorithms and methods in JavaScript code. These outdated cryptographic functions may have known vulnerabilities, weak security properties, or have been superseded by more secure alternatives, potentially exposing sensitive data to attacks.
Detection Strategy
• Scans JavaScript source code for function calls and method invocations related to cryptographic operations
• Detects calls to insecure cryptographic libraries or methods that have known security weaknesses
• Flags usage of weak or outdated hashing algorithms
• Reports instances where deprecated Node.js crypto module methods or browser crypto APIs are being used
• Triggers when legacy encryption implementations or libraries with known vulnerabilities are detected in the codebase
Vulnerable code example
const crypto = require('crypto');
// Vulnerable: createCipher uses weak key derivation
const cipher = crypto.createCipher('aes-256-gcm', 'password');
// Vulnerable: createDecipher is deprecated and insecure
const decipher = crypto.createDecipher('aes-256-gcm', 'key');✅ Secure code example
const crypto = require('crypto');
// Safe: Use createCipheriv with explicit key and IV
const key = crypto.randomBytes(32); // Generate secure 256-bit key
const iv = crypto.randomBytes(16); // Generate random IV for each operation
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
// Safe: Use createDecipheriv with explicit parameters...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.