Typescript Cbc Cipher Unauthenticated Encryption
Description
Detects the use of CBC cipher mode in SSH2 SFTP client configurations which can be vulnerable to padding oracle attacks. CBC mode without proper authentication can allow attackers to decrypt encrypted data by manipulating ciphertext blocks and observing system responses.
Weakness:
094 - Insecure encryption algorithm - Cipher Block Chaining
Category: Information Collection
Detection Strategy
• Check if the source code imports or uses the 'ssh2-sftp-client' module/package
• Look for SFTP client configuration options or connection settings
• Identify if CBC cipher mode is specified in the encryption settings
• Report a vulnerability if CBC cipher mode is detected in SFTP client configurations
Vulnerable code example
import SftpClient from 'ssh2-sftp-client';
async function connectWithInsecureCipher() {
const client = new SftpClient();
const config = {
host: 'sftp.example.com',
username: 'user',...✅ Secure code example
import SftpClient from 'ssh2-sftp-client';
async function connectWithSecureCipher() {
const client = new SftpClient();
const config = {
host: 'sftp.example.com',
username: 'user',...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.