Javascript Crypto Unsafe Empty Password
Description
This detector identifies JavaScript code that uses cryptographic functions with empty or missing passwords, which compromises the security of encryption operations. Empty passwords provide no cryptographic protection and make encrypted data vulnerable to unauthorized access.
Detection Strategy
• Scans JavaScript source code for usage of cryptographic libraries or built-in crypto modules
• Identifies function calls to cryptographic operations that require password parameters
• Flags instances where these cryptographic functions are called with empty strings, null values, or missing password arguments
• Reports vulnerabilities when password-based encryption methods are used without proper password protection
Vulnerable code example
const crypto = require('crypto');
// Vulnerable: empty password in pbkdf2Sync
const hash = crypto.pbkdf2Sync("", "salt", 1000, 64, "sha512");✅ Secure code example
const crypto = require('crypto');
function secureHash(password) {
if (!password || password.length === 0) { // Validate password is not empty
throw new Error("Password required");
}
const hash = crypto.pbkdf2Sync(password, "salt", 1000, 64, "sha512"); // Safe: password validated...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.