C Sharp Static Iv In Aes
Description
Detects the use of static/hardcoded Initialization Vectors (IVs) in AES encryption using CBC mode in C# code. Using a static IV makes the encryption predictable and vulnerable to chosen-plaintext attacks, severely weakening the security of the encryption.
Detection Strategy
• Identifies calls to CreateEncryptor() method in C# code that is typically used with AES encryption
• Examines the second argument (IV parameter) passed to CreateEncryptor()
• Reports a vulnerability if the IV value is hardcoded or static rather than randomly generated
• Specifically flags cases where the same IV is reused across multiple encryption operations
Vulnerable code example
using System.Security.Cryptography;
public class InsecureCrypto {
public void EncryptData(byte[] data) {
using (var aes = new AesCryptoServiceProvider()) {
// VULNERABLE: Using hardcoded IV makes encryption predictable
byte[] staticIV = new byte[] { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
var encryptor = aes.CreateEncryptor(aes.Key, staticIV);...✅ Secure code example
using System.Security.Cryptography;
using System.IO;
public class SecureCrypto {
public byte[] EncryptData(byte[] data) {
using (var aes = new AesCryptoServiceProvider()) {
// Secure: Generate random IV for each encryption
aes.GenerateIV();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.