Cryptographic Failures

This skill should be used when the user asks about "cryptographic failures", "weak encryption", "hardcoded secrets", "insecure random", "MD5", "SHA1", "weak hashing", or needs to find crypto-related vulnerabilities during whitebox security review.

14 stars

Best use case

Cryptographic Failures is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

This skill should be used when the user asks about "cryptographic failures", "weak encryption", "hardcoded secrets", "insecure random", "MD5", "SHA1", "weak hashing", or needs to find crypto-related vulnerabilities during whitebox security review.

Teams using Cryptographic Failures should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/cryptographic-failures/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/cryptographic-failures/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/cryptographic-failures/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Cryptographic Failures Compares

Feature / AgentCryptographic FailuresStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

This skill should be used when the user asks about "cryptographic failures", "weak encryption", "hardcoded secrets", "insecure random", "MD5", "SHA1", "weak hashing", or needs to find crypto-related vulnerabilities during whitebox security review.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Cryptographic Failures (OWASP A02)

## Purpose

Provide detection patterns for cryptographic vulnerabilities including weak algorithms, hardcoded secrets, insufficient key lengths, and insecure random number generation.

## OWASP Top 10 Mapping

**Category**: A02 - Cryptographic Failures

**CWEs**:
- CWE-326: Inadequate Encryption Strength
- CWE-327: Use of Broken or Risky Crypto Algorithm
- CWE-328: Reversible One-Way Hash
- CWE-330: Use of Insufficiently Random Values
- CWE-338: Use of Cryptographically Weak PRNG
- CWE-798: Use of Hardcoded Credentials

## When to Use

Activate this skill when:
- Reviewing password hashing implementations
- Checking encryption algorithm usage
- Looking for hardcoded secrets/API keys
- Auditing random number generation
- Verifying key management practices

---

## Weak Hash Algorithms

### Detection Patterns

```bash
# MD5 usage (broken for security)
grep -rniE "md5\(|MD5\.|hashlib\.md5|MessageDigest.*MD5|crypto\.MD5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# SHA1 usage (deprecated for security)
grep -rniE "sha1\(|SHA1\.|hashlib\.sha1|MessageDigest.*SHA-1|crypto\.SHA1" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Password hashing with weak algorithms
grep -rniE "password.*md5|password.*sha1|hash.*password.*md5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

### Language-Specific Patterns

#### Python

```bash
# Weak hashing
grep -rniE "hashlib\.md5|hashlib\.sha1" --include="*.py"

# Should use: bcrypt, argon2, scrypt
grep -rniE "bcrypt|argon2|scrypt" --include="*.py"
```

**Vulnerable**:
```python
# VULNERABLE: MD5 for passwords
password_hash = hashlib.md5(password.encode()).hexdigest()
```

**Secure**:
```python
# SAFE: bcrypt for passwords
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
```

#### Java

```bash
# Weak MessageDigest
grep -rniE "MessageDigest\.getInstance.*MD5|MessageDigest\.getInstance.*SHA-1" --include="*.java"

# Should use: BCrypt, Argon2, PBKDF2
grep -rniE "BCrypt|Argon2|PBKDF2|SecretKeyFactory" --include="*.java"
```

#### Go

```bash
# Weak crypto imports
grep -rniE "crypto/md5|crypto/sha1" --include="*.go"

# Should use: bcrypt, argon2
grep -rniE "golang\.org/x/crypto/bcrypt|golang\.org/x/crypto/argon2" --include="*.go"
```

#### PHP

```bash
# Weak hashing
grep -rniE "md5\(|sha1\(" --include="*.php"

# Should use: password_hash
grep -rniE "password_hash|PASSWORD_BCRYPT|PASSWORD_ARGON2" --include="*.php"
```

#### TypeScript

```bash
# Weak crypto
grep -rniE "createHash.*md5|createHash.*sha1" --include="*.ts"

# Should use: bcrypt
grep -rniE "bcrypt\.hash|argon2" --include="*.ts"
```

---

## Weak Encryption Algorithms

### Detection Patterns

```bash
# DES (broken)
grep -rniE "DES|DESede|TripleDES" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# RC4 (broken)
grep -rniE "RC4|ARC4|ARCFOUR" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# ECB mode (insecure)
grep -rniE "ECB|AES/ECB|MODE_ECB" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Blowfish (deprecated)
grep -rniE "Blowfish|BLOWFISH" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

### Secure Alternatives

| Weak | Secure Alternative |
|------|-------------------|
| DES | AES-256 |
| 3DES | AES-256 |
| RC4 | ChaCha20 or AES-GCM |
| ECB mode | GCM or CBC with HMAC |
| Blowfish | AES-256 |
| RSA-1024 | RSA-2048+ or ECDSA |

---

## Hardcoded Secrets

### Detection Patterns

```bash
# API keys
grep -rniE "api[_-]?key\s*[=:]\s*['\"][a-zA-Z0-9]{16,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Passwords
grep -rniE "password\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Secret keys
grep -rniE "secret[_-]?key\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# AWS credentials
grep -rniE "AKIA[0-9A-Z]{16}|aws_secret_access_key" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"

# Private keys
grep -rniE "BEGIN RSA PRIVATE KEY|BEGIN PRIVATE KEY|BEGIN EC PRIVATE KEY" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.pem"

# JWT secrets
grep -rniE "jwt[_-]?secret\s*[=:]\s*['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

### High-Entropy String Detection

```bash
# Long alphanumeric strings (potential secrets)
grep -rniE "['\"][a-zA-Z0-9+/=]{32,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

---

## Insecure Random Number Generation

### Detection Patterns

```bash
# JavaScript/TypeScript - Math.random (NOT cryptographically secure)
grep -rniE "Math\.random\(\)" --include="*.ts" --include="*.js"

# Python - random module (NOT cryptographically secure)
grep -rniE "import random|from random|random\.random|random\.randint" --include="*.py"

# Java - java.util.Random (NOT cryptographically secure)
grep -rniE "new Random\(\)|java\.util\.Random" --include="*.java"

# PHP - rand/mt_rand (NOT cryptographically secure)
grep -rniE "rand\(|mt_rand\(" --include="*.php"

# Go - math/rand (NOT cryptographically secure)
grep -rniE "math/rand|rand\.Intn|rand\.Int\(" --include="*.go"
```

### Secure Alternatives

| Language | Insecure | Secure |
|----------|----------|--------|
| Python | `random.random()` | `secrets.token_bytes()` |
| Java | `java.util.Random` | `java.security.SecureRandom` |
| Go | `math/rand` | `crypto/rand` |
| JavaScript | `Math.random()` | `crypto.randomBytes()` |
| PHP | `rand()`, `mt_rand()` | `random_bytes()`, `random_int()` |

---

## Insufficient Key Length

### Detection Patterns

```bash
# RSA key size (should be 2048+)
grep -rniE "RSA.*1024|keysize.*1024|KeyPairGenerator.*1024" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# AES key size (should be 256 for sensitive data)
grep -rniE "AES.*128|aes-128" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# HMAC key size
grep -rniE "hmac.*key.*['\"][a-zA-Z0-9]{1,15}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

### Minimum Key Lengths

| Algorithm | Minimum | Recommended |
|-----------|---------|-------------|
| RSA | 2048 bits | 4096 bits |
| AES | 128 bits | 256 bits |
| ECDSA | 256 bits | 384 bits |
| HMAC | 256 bits | 512 bits |

---

## Predictable IVs/Nonces

### Detection Patterns

```bash
# Static/zero IV
grep -rniE "iv\s*=\s*['\"]0{16,}['\"]|iv\s*=\s*bytes\(16\)|iv.*\[0,0,0" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Reused nonce
grep -rniE "nonce\s*=\s*['\"]|static.*nonce|const.*nonce" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
```

---

## Missing Encryption

### Detection Patterns

```bash
# Plaintext password storage
grep -rniE "password\s*=\s*request|user\.password\s*=\s*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# HTTP instead of HTTPS
grep -rniE "http://[^localhost]|http://[^127\.0\.0\.1]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"

# Unencrypted database connection
grep -rniE "sslmode=disable|useSSL=false|ssl=false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"
```

---

## Broken Certificate Validation

### Detection Patterns

```bash
# Go - Skip TLS verification
grep -rniE "InsecureSkipVerify\s*:\s*true" --include="*.go"

# Python - Disable SSL verification
grep -rniE "verify\s*=\s*False|CERT_NONE" --include="*.py"

# Java - Trust all certificates
grep -rniE "TrustAllCerts|X509TrustManager|checkServerTrusted.*return" --include="*.java"

# Node.js - Reject unauthorized false
grep -rniE "rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED" --include="*.ts" --include="*.js"

# PHP - Disable SSL verification
grep -rniE "CURLOPT_SSL_VERIFYPEER\s*=>\s*false|verify_peer.*false" --include="*.php"
```

---

## Secure Patterns

### Password Hashing

```python
# Python - Argon2 (recommended)
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)
```

```java
// Java - BCrypt
String hash = BCrypt.hashpw(password, BCrypt.gensalt(12));
```

```go
// Go - bcrypt
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
```

### Encryption

```python
# Python - AES-GCM
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
nonce = os.urandom(12)  # Random nonce
ciphertext = aesgcm.encrypt(nonce, plaintext, None)
```

### Random Generation

```python
# Python - Secure random
import secrets
token = secrets.token_hex(32)
```

---

## Verification Checklist

- [ ] No MD5/SHA1 for password hashing
- [ ] No DES/RC4/ECB encryption
- [ ] No hardcoded secrets
- [ ] Cryptographically secure RNG used
- [ ] Key lengths meet minimums
- [ ] Random IVs/nonces
- [ ] TLS 1.2+ with valid certificates
- [ ] Secrets from environment/vault

---

## CWE References

| CWE | Name | Example |
|-----|------|---------|
| CWE-326 | Inadequate Encryption | RSA-1024 |
| CWE-327 | Broken Crypto | MD5, DES, RC4 |
| CWE-328 | Reversible Hash | MD5 for passwords |
| CWE-330 | Insufficient Randomness | Math.random for tokens |
| CWE-338 | Weak PRNG | rand() for crypto |
| CWE-798 | Hardcoded Credentials | API keys in code |

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.