What is cryptographic failure?

An OWASP category (A04) covering weak encryption, insecure RNG, weak hashing, and hardcoded credentials that introduce crypto vulnerabilities.

How should I fix weak password hashing?

Avoid MD5/SHA1 and use bcrypt, Argon2, or PBKDF2 with proper parameters; ensure peppering and adequate iterations where applicable.

How do I manage hardcoded secrets?

Remove secrets from code, use secret management services (e.g., Vault, AWS Secrets Manager), rotate keys regularly, and enforce scoped access controls.

Cryptographic Failures

npx machina-cli add skill allsmog/vuln-scout/cryptographic-failures --openclaw

Files (1)

SKILL.md

9.9 KB

Cryptographic Failures (OWASP A04)

Purpose

Provide detection patterns for cryptographic vulnerabilities including weak algorithms, hardcoded secrets, insufficient key lengths, and insecure random number generation.

OWASP 2025 Mapping

Category: A04 - Cryptographic Failures

CWEs:

CWE-326: Inadequate Encryption Strength
CWE-327: Use of Broken or Risky Crypto Algorithm
CWE-328: Reversible One-Way Hash
CWE-330: Use of Insufficiently Random Values
CWE-338: Use of Cryptographically Weak PRNG
CWE-798: Use of Hardcoded Credentials

When to Use

Activate this skill when:

Reviewing password hashing implementations
Checking encryption algorithm usage
Looking for hardcoded secrets/API keys
Auditing random number generation
Verifying key management practices

Weak Hash Algorithms

Detection Patterns

# MD5 usage (broken for security)
grep -rniE "md5\(|MD5\.|hashlib\.md5|MessageDigest.*MD5|crypto\.MD5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# SHA1 usage (deprecated for security)
grep -rniE "sha1\(|SHA1\.|hashlib\.sha1|MessageDigest.*SHA-1|crypto\.SHA1" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Password hashing with weak algorithms
grep -rniE "password.*md5|password.*sha1|hash.*password.*md5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

Language-Specific Patterns

Python

# Weak hashing
grep -rniE "hashlib\.md5|hashlib\.sha1" --include="*.py"

# Should use: bcrypt, argon2, scrypt
grep -rniE "bcrypt|argon2|scrypt" --include="*.py"

Vulnerable:

# VULNERABLE: MD5 for passwords
password_hash = hashlib.md5(password.encode()).hexdigest()

Secure:

# SAFE: bcrypt for passwords
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())

Java

# Weak MessageDigest
grep -rniE "MessageDigest\.getInstance.*MD5|MessageDigest\.getInstance.*SHA-1" --include="*.java"

# Should use: BCrypt, Argon2, PBKDF2
grep -rniE "BCrypt|Argon2|PBKDF2|SecretKeyFactory" --include="*.java"

Go

# Weak crypto imports
grep -rniE "crypto/md5|crypto/sha1" --include="*.go"

# Should use: bcrypt, argon2
grep -rniE "golang\.org/x/crypto/bcrypt|golang\.org/x/crypto/argon2" --include="*.go"

PHP

# Weak hashing
grep -rniE "md5\(|sha1\(" --include="*.php"

# Should use: password_hash
grep -rniE "password_hash|PASSWORD_BCRYPT|PASSWORD_ARGON2" --include="*.php"

TypeScript

# Weak crypto
grep -rniE "createHash.*md5|createHash.*sha1" --include="*.ts"

# Should use: bcrypt
grep -rniE "bcrypt\.hash|argon2" --include="*.ts"

Weak Encryption Algorithms

Detection Patterns

# DES (broken)
grep -rniE "DES|DESede|TripleDES" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# RC4 (broken)
grep -rniE "RC4|ARC4|ARCFOUR" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# ECB mode (insecure)
grep -rniE "ECB|AES/ECB|MODE_ECB" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Blowfish (deprecated)
grep -rniE "Blowfish|BLOWFISH" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

Secure Alternatives

Weak	Secure Alternative
DES	AES-256
3DES	AES-256
RC4	ChaCha20 or AES-GCM
ECB mode	GCM or CBC with HMAC
Blowfish	AES-256
RSA-1024	RSA-2048+ or ECDSA

Hardcoded Secrets

Detection Patterns

# API keys
grep -rniE "api[_-]?key\s*[=:]\s*['\"][a-zA-Z0-9]{16,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Passwords
grep -rniE "password\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Secret keys
grep -rniE "secret[_-]?key\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# AWS credentials
grep -rniE "AKIA[0-9A-Z]{16}|aws_secret_access_key" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"

# Private keys
grep -rniE "BEGIN RSA PRIVATE KEY|BEGIN PRIVATE KEY|BEGIN EC PRIVATE KEY" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.pem"

# JWT secrets
grep -rniE "jwt[_-]?secret\s*[=:]\s*['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

High-Entropy String Detection

# Long alphanumeric strings (potential secrets)
grep -rniE "['\"][a-zA-Z0-9+/=]{32,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

Insecure Random Number Generation

Detection Patterns

# JavaScript/TypeScript - Math.random (NOT cryptographically secure)
grep -rniE "Math\.random\(\)" --include="*.ts" --include="*.js"

# Python - random module (NOT cryptographically secure)
grep -rniE "import random|from random|random\.random|random\.randint" --include="*.py"

# Java - java.util.Random (NOT cryptographically secure)
grep -rniE "new Random\(\)|java\.util\.Random" --include="*.java"

# PHP - rand/mt_rand (NOT cryptographically secure)
grep -rniE "rand\(|mt_rand\(" --include="*.php"

# Go - math/rand (NOT cryptographically secure)
grep -rniE "math/rand|rand\.Intn|rand\.Int\(" --include="*.go"

Secure Alternatives

Language	Insecure	Secure
Python	`random.random()`	`secrets.token_bytes()`
Java	`java.util.Random`	`java.security.SecureRandom`
Go	`math/rand`	`crypto/rand`
JavaScript	`Math.random()`	`crypto.randomBytes()`
PHP	`rand()`, `mt_rand()`	`random_bytes()`, `random_int()`

Insufficient Key Length

Detection Patterns

# RSA key size (should be 2048+)
grep -rniE "RSA.*1024|keysize.*1024|KeyPairGenerator.*1024" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# AES key size (should be 256 for sensitive data)
grep -rniE "AES.*128|aes-128" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# HMAC key size
grep -rniE "hmac.*key.*['\"][a-zA-Z0-9]{1,15}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

Minimum Key Lengths

Algorithm	Minimum	Recommended
RSA	2048 bits	4096 bits
AES	128 bits	256 bits
ECDSA	256 bits	384 bits
HMAC	256 bits	512 bits

Predictable IVs/Nonces

Detection Patterns

# Static/zero IV
grep -rniE "iv\s*=\s*['\"]0{16,}['\"]|iv\s*=\s*bytes\(16\)|iv.*\[0,0,0" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Reused nonce
grep -rniE "nonce\s*=\s*['\"]|static.*nonce|const.*nonce" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

Missing Encryption

Detection Patterns

# Plaintext password storage
grep -rniE "password\s*=\s*request|user\.password\s*=\s*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# HTTP instead of HTTPS
grep -rniE "http://[^localhost]|http://[^127\.0\.0\.1]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Unencrypted database connection
grep -rniE "sslmode=disable|useSSL=false|ssl=false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"

Broken Certificate Validation

Detection Patterns

# Go - Skip TLS verification
grep -rniE "InsecureSkipVerify\s*:\s*true" --include="*.go"

# Python - Disable SSL verification
grep -rniE "verify\s*=\s*False|CERT_NONE" --include="*.py"

# Java - Trust all certificates
grep -rniE "TrustAllCerts|X509TrustManager|checkServerTrusted.*return" --include="*.java"

# Node.js - Reject unauthorized false
grep -rniE "rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED" --include="*.ts" --include="*.js"

# PHP - Disable SSL verification
grep -rniE "CURLOPT_SSL_VERIFYPEER\s*=>\s*false|verify_peer.*false" --include="*.php"

Secure Patterns

Password Hashing

# Python - Argon2 (recommended)
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)

// Java - BCrypt
String hash = BCrypt.hashpw(password, BCrypt.gensalt(12));

// Go - bcrypt
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)

Encryption

# Python - AES-GCM
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
nonce = os.urandom(12)  # Random nonce
ciphertext = aesgcm.encrypt(nonce, plaintext, None)

Random Generation

# Python - Secure random
import secrets
token = secrets.token_hex(32)

Verification Checklist

CWE References

CWE	Name	Example
CWE-326	Inadequate Encryption	RSA-1024
CWE-327	Broken Crypto	MD5, DES, RC4
CWE-328	Reversible Hash	MD5 for passwords
CWE-330	Insufficient Randomness	Math.random for tokens
CWE-338	Weak PRNG	rand() for crypto
CWE-798	Hardcoded Credentials	API keys in code

Source

git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/cryptographic-failures/SKILL.mdView on GitHub

Overview

Cryptographic Failures helps detect weak algorithms, insecure RNG, and hardcoded credentials during whitebox pentesting. It aligns with OWASP A04 and CWE mappings, offering language-specific detection patterns and secure replacements like bcrypt, Argon2, PBKDF2, and AES over weak ciphers.

How This Skill Works

The skill provides detection patterns and grep-based queries for multiple languages to flag MD5, SHA1, weak hashes, insecure RNG, and hardcoded secrets. It then guides remediation by suggesting secure algorithms (bcrypt, Argon2, PBKDF2) and stronger encryption practices, mapped to CWE categories.

When to Use It

Reviewing password hashing implementations
Checking encryption algorithm usage
Looking for hardcoded secrets/API keys
Auditing random number generation
Verifying key management practices

Quick Start

Step 1: Run language-specific detection patterns to find weak hashes (MD5/SHA1), insecure RNG, and hardcoded secrets
Step 2: Map each finding to the relevant CWE (e.g., CWE-326, CWE-327, CWE-798) and document impact
Step 3: Replace weak crypto with secure alternatives (bcrypt/Argon2/PBKDF2, AES-GCM) and move secrets to a vault or secret manager

Best Practices

Avoid MD5/SHA-1 for passwords; use bcrypt, Argon2, or PBKDF2 with proper parameters
Use cryptographically secure RNGs; replace insecure sources
Eliminate hardcoded credentials; adopt secret management solutions
Enforce strong key lengths and modern encryption modes (e.g., AES-GCM)
Regularly audit crypto usage and map findings to CWE references

Example Use Cases

Codebase hashes passwords with MD5, exposing them to rainbow table attacks
Application uses SHA-1 for file integrity, risking collision-based tampering
Hardcoded API keys embedded in source files
Random values generated with Math.random() instead of a CSPRNG
DES or RC4 is used for encryption instead of modern algorithms like AES

Frequently Asked Questions

Add this skill to your agents