Java Hardcoded Static Iv
Description
Detects when cryptographic initialization vectors (IVs) are hardcoded in Java code using IvParameterSpec. Hardcoded IVs are cryptographically insecure since they make encryption predictable instead of using random values for each encryption operation.
Detection Strategy
• Code imports javax.crypto.spec package
• Creates a new IvParameterSpec object with a hardcoded/constant value as first argument
• The IV value is not derived from a proper random number generator or secure source
• The IV value is deterministic (e.g. string literal, static array, or constant)
Vulnerable code example
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class VulnerableCrypto {
private static final String STATIC_IV = "0123456789abcdef"; // Vulnerable: Hardcoded static IV
public byte[] encrypt(String data, String key) throws Exception {...✅ Secure code example
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.SecureRandom;
import java.nio.charset.StandardCharsets;
public class SecureCrypto {
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.