ajinabraham.njsscan.crypto_node.node_aes_noiv

ajinabraham

Author

1,129

Download Count*

License

AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: node_aes_noiv
    patterns:
      - pattern-either:
          - pattern: |
              $X.createCipheriv("=~/^aes-/i", $KEY, "", ...)
    message: AES algorithms requires an initialization vector (IV). Providing no or
      null IV in some implementation results to a 0 IV. Use of a deterministic
      IV makes dictionary attacks easier.
    languages:
      - javascript
    severity: WARNING
    metadata:
      owasp-web: a9
      cwe: cwe-327
      license: LGPL-3.0-or-later

Short Link: https://sg.run/XBxN