Php Use Of Hardcoded Password
Description
Detects when hardcoded password strings are used to create password-protected encryption keys using the Defuse/Crypto library. Using hardcoded passwords for encryption is dangerous since they can be extracted from source code, potentially compromising encrypted data.
Detection Strategy
• Check if the Defuse/Crypto/KeyProtectedByPassword library is imported in the PHP code
• Look for calls to KeyProtectedByPassword::createRandomPasswordProtectedKey function
• Examine if the first argument passed to this function is a hardcoded password string rather than a variable or user input
• Report a vulnerability if a hardcoded password is found being used for key creation
Vulnerable code example
// VULNERABLE: Demonstrates hardcoded password vulnerability
function createEncryptionKey() {
$password = "hardcoded123"; // Noncompliant - password hardcoded in source code
return KeyProtectedByPassword::createRandomPasswordProtectedKey($password);
}✅ Secure code example
function createEncryptionKey() {
$password = getenv('ENCRYPTION_PASSWORD'); // Safe - password from environment variable
return KeyProtectedByPassword::createRandomPasswordProtectedKey($password);
}Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.