Php Hardcoded Init Vector
Description
Detects when hardcoded initialization vectors (IV) are used with OpenSSL encryption/decryption functions in PHP code. Using static/hardcoded IVs severely weakens the security of encrypted data since IVs should be random and unique for each encryption operation.
Detection Strategy
• Identifies calls to PHP functions 'openssl_encrypt' or 'openssl_decrypt'
• Checks the 4th parameter (IV argument) of these functions
• Reports a vulnerability if the IV parameter contains a hardcoded/static value instead of a dynamically generated one
• Example vulnerable code: openssl_encrypt($data, 'aes-256-cbc', $key, 0, '1234567890123456')
Vulnerable code example
<?php
$cipher = 'AES-256-CBC';
$key = 'MySecretKey123';
$static_iv = '1234567890123456'; // VULNERABILITY: Hardcoded IV makes encryption predictable
function encrypt($data) {
global $cipher, $key, $static_iv;
return openssl_encrypt($data, $cipher, $key, OPENSSL_RAW_DATA, $static_iv); // VULNERABILITY: Using static IV...✅ Secure code example
<?php
$cipher = 'AES-256-CBC';
$key = random_bytes(32); // Generate a proper cryptographic key instead of hardcoding
function encrypt($data) {
global $cipher, $key;
$iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($cipher)); // Generate unique IV per encryption
$encrypted = openssl_encrypt($data, $cipher, $key, OPENSSL_RAW_DATA, $iv);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.