C Sharp Hardcoded Init Vector
Description
Detects hardcoded initialization vectors (IVs) in C# AES encryption implementations. Using static/hardcoded IVs compromises the security of encrypted data since IVs should be randomly generated for each encryption operation to maintain cryptographic security.
Detection Strategy
• Identifies assignments to the 'IV' property in AES-related code
• Checks if the IV value is hardcoded/static rather than randomly generated
• Verifies the IV assignment is specifically related to AES encryption context
• Reports a vulnerability when a hardcoded value is assigned to the IV property of an AES encryption object
Vulnerable code example
using System.Security.Cryptography;
class Encryptor {
public Aes GetAes() {
var aes = Aes.Create();
// VULNERABILITY: Using hardcoded IV makes encryption predictable
aes.IV = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
return aes;...✅ Secure code example
using System.Security.Cryptography;
class Encryptor {
public Aes GetAes() {
var aes = Aes.Create();
// Generate cryptographically secure random IV
aes.GenerateIV(); // Automatically generates a random IV of correct length
return aes;...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.