Description

This detector identifies PBKDF2 implementations in Dart cryptography code that use weak iteration counts. PBKDF2 with insufficient iterations is vulnerable to brute-force attacks, as modern hardware can quickly compute hashes with low iteration counts, making password-derived keys easier to crack.

Detection Strategy

• The detector first checks if Dart cryptography libraries are imported in the analyzed code

• It then searches for calls to 'deriveKey' methods (or similar key derivation functions) within the imported cryptography libraries

• For each deriveKey call found, it verifies that the call involves password-based key derivation (not other key sources)

• The detector traces back to find the PBKDF2 constructor or configuration associated with the deriveKey call

• Finally, it checks if the PBKDF2 constructor uses a weak iteration count (typically below recommended security thresholds like 100,000 iterations)

• A vulnerability is reported when all conditions are met: cryptography library usage, password-based key derivation call, and weak iteration count in the PBKDF2 configuration

Vulnerable code example

import 'package:cryptography/cryptography.dart';

Future<void> weakPbkdf2(List<int> nonce) async {
  final password = [0, 1, 2, 3];
  
  // VULNERABLE: 100 iterations is far below OWASP minimum of 600,000 for SHA-256
  final pbkdf2 = Pbkdf2(macAlgorithm: Hmac.sha256(), iterations: 100, bits: 256);
  await pbkdf2.deriveKeyFromPassword(password: password, nonce: nonce);...

✅ Secure code example

import 'package:cryptography/cryptography.dart';

Future<void> strongPbkdf2(List<int> nonce) async {
  final password = [0, 1, 2, 3];
  
  // SECURE: 600,000 iterations meets OWASP minimum for SHA-256
  final pbkdf2 = Pbkdf2(macAlgorithm: Hmac.sha256(), iterations: 600000, bits: 256);
  await pbkdf2.deriveKeyFromPassword(password: password, nonce: nonce);...