Go Insecure Cipher Usage
Description
Detects the use of cryptographically weak cipher algorithms (DES and Blowfish) in Go applications. These legacy ciphers are considered insecure due to their vulnerabilities to modern cryptographic attacks and should not be used in security-sensitive applications.
Detection Strategy
• Check for calls to des.NewTripleDESCipher() function which creates a new Triple DES cipher
• Check for calls to blowfish.NewCipher() function which creates a new Blowfish cipher
• Report a vulnerability when either of these cipher initialization functions are found in the code
Vulnerable code example
package main
import (
"crypto/des"
"crypto/md5"
"crypto/sha1"
)
...✅ Secure code example
package main
import (
"crypto/aes"
"crypto/sha256"
"crypto/rand"
"io"
)...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.