Usage of weak encryption algorithm (RC4)

Overview

• Rule ID: javascript_lang_weak_encryption_rc4

• Applicable Languages: Javascript

• Weakness ID: CWE-327

Description

Employing the RC4 (Rivest Cipher 4) encryption algorithm presents a major security risk. RC4 is outdated and has been shown to be vulnerable to numerous attacks, rendering any data encrypted with it susceptible to unauthorized access and compromise.

Remediation Guidelines

• Avoid using RC4 for data encryption, as its vulnerabilities can undermine data security.

• Choose more robust encryption algorithms, such as AES-256, for encrypting data. This provides a higher level of security for your data.

  Copy

  const crypto = require("crypto");
  
  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
  const encrypted = cipher.update("my secret message", "utf8");

References

• NodeJS Crypto Module

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL