Python Unsafe Cipher Algorithm Or Mode
Description
Detects the use of cryptographically unsafe cipher modes in Python cryptography operations. Using unsafe cipher modes like ECB or CBC without proper authentication can make encrypted data vulnerable to various attacks including padding oracle attacks.
Detection Strategy
• Look for instantiations of Cipher objects in Python code
• Check if the Cipher constructor is called with 3 or more arguments
• Analyze the cipher mode argument to identify if an unsafe mode is specified
• Report a vulnerability when cryptographically unsafe cipher modes (e.g., ECB, CBC without authentication) are detected
Vulnerable code example
from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes
from cryptography.hazmat.backends import default_backend
import os
key = os.urandom(16)
iv = os.urandom(16)
# Vulnerable: Using cryptographically weak algorithms (TripleDES, Blowfish, RC4)...✅ Secure code example
from cryptography.hazmat.primitives.ciphers import algorithms, Cipher, modes
from cryptography.hazmat.backends import default_backend
import os
key = os.urandom(32) # Using 256-bit key for stronger security
iv = os.urandom(16)
# Safe: Using AES-256 with GCM mode which provides authenticated encryption...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.