C Sharp Hardcoded Cryptographic Key
Description
Detects hardcoded cryptographic keys used with AES encryption in C# code. When encryption keys are hardcoded in source code, they can be easily extracted by attackers who gain access to the codebase, compromising the security of all encrypted data.
Detection Strategy
• Confirms the presence of System.Security.Cryptography namespace import
• Identifies calls to CreateEncryptor() method that originate from AES encryption object creation
• Checks if the encryption key parameter passed to the encryption method is a hardcoded value rather than being retrieved from secure configuration or key management systems
• Reports a vulnerability when CreateEncryptor is called with hardcoded key material
Vulnerable code example
using System;
using System.Security.Cryptography;
class Encryptor
{
private static readonly byte[] HardcodedKey = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 // Unsafe: Hardcoded cryptographic key
};...✅ Secure code example
using System;
using System.Security.Cryptography;
using System.Text;
class Encryptor
{
// Safe: Get key from secure storage instead of hardcoding
private static byte[] GetEncryptionKey()...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.