# Usage of weak encryption algorithm (RC4)

## Overview

* **Rule ID**: `javascript_lang_weak_encryption_rc4`
* **Applicable Languages**: Javascript
* **Weakness ID**: CWE-327

## Description

Employing the RC4 (Rivest Cipher 4) encryption algorithm presents a major security risk. RC4 is outdated and has been shown to be vulnerable to numerous attacks, rendering any data encrypted with it susceptible to unauthorized access and compromise.

## Remediation Guidelines

* **Avoid** using RC4 for data encryption, as its vulnerabilities can undermine data security.
* **Choose more robust encryption algorithms**, such as AES-256, for encrypting data. This provides a higher level of security for your data.

  ```javascript
  const crypto = require("crypto");

  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
  const encrypted = cipher.update("my secret message", "utf8");
  ```

## References

* [**NodeJS Crypto Module**](https://nodejs.org/api/crypto.html)
* [**CWE-327: Use of a Broken or Risky Cryptographic Algorithm**](https://cwe.mitre.org/data/definitions/327.html)
* [**OWASP Top 10: A02:2021 - Cryptographic Failures**](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)