Typescript Insecure Cipher Creation
Description
Detects the creation of cryptographic ciphers using insecure algorithms or modes of operation. Using weak or outdated cryptographic algorithms can allow attackers to break the encryption and access sensitive data.
Detection Strategy
• Identifies function calls that create cryptographic cipher objects
• Checks if the cipher creation uses known insecure algorithms or modes (e.g., DES, RC4, ECB mode)
• Reports a vulnerability when cipher creation uses deprecated or cryptographically weak algorithms
• Analyzes the cipher algorithm and mode parameters passed to cipher creation functions
• Flags cipher instantiation code that does not follow cryptographic best practices
Vulnerable code example
import crypto from 'crypto';
// Vulnerable: Uses deprecated createCipher() without IV
const cipher = crypto.createCipher('aes-256-cbc', 'password123');
// Vulnerable: Uses weak RC4 algorithm with deprecated createDecipher()
const decipher = crypto.createDecipher('rc4', 'password123');✅ Secure code example
import crypto from 'crypto';
// Generate secure random key and IV
const key = crypto.randomBytes(32); // 256 bits for AES-256
const iv = crypto.randomBytes(16); // 16 bytes for AES IV
// Secure: Uses modern createCipheriv with proper IV
const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.