Javascript Insecure Use Of Cbc Mode
Description
Detects insecure usage of CBC (Cipher Block Chaining) mode in CryptoJS library within JavaScript code. CBC mode without proper implementation of authentication can be vulnerable to padding oracle attacks and chosen-ciphertext attacks, potentially allowing attackers to decrypt or modify encrypted data.
Weakness:
094 - Insecure encryption algorithm - Cipher Block Chaining
Category: Information Collection
Detection Strategy
• Check if the JavaScript file imports or uses the 'crypto-js' module
• Identify usage of CBC mode configuration in CryptoJS encryption operations
• Report vulnerability when CBC mode is detected in CryptoJS encryption functions without additional security controls
Vulnerable code example
import * as CryptoJS from 'crypto-js';
function encryptData(data, key) {
const iv = CryptoJS.lib.WordArray.random(16);
// VULNERABLE: Using CBC mode which is susceptible to padding oracle attacks
const encrypted = CryptoJS.AES.encrypt(data, key, {
mode: CryptoJS.mode.CBC,...✅ Secure code example
import * as CryptoJS from 'crypto-js';
async function encryptData(data, key) {
// Generate a random 12-byte (96-bit) IV - standard size for GCM
const iv = crypto.getRandomValues(new Uint8Array(12));
// Convert key to proper format for Web Crypto API
const keyBuffer = await crypto.subtle.importKey(...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.