| name | sc-crypto |
| description | Cryptography misuse detection — weak algorithms, ECB mode, static IVs, weak PRNG, and key management flaws |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
SC: Cryptography Misuse
Purpose
Detects cryptographic implementation errors including use of weak algorithms (MD5, SHA1 for security), insecure cipher modes (ECB), static or hardcoded initialization vectors, missing authentication (AES-CBC without HMAC), weak pseudo-random number generators for security purposes, insufficient key lengths, and disabled certificate validation.
Activation
Called by sc-orchestrator during Phase 2. Always runs.
Phase 1: Discovery
Keyword Patterns to Search
# Weak algorithms
"MD5", "md5", "SHA1", "sha1", "DES", "3DES", "RC4", "RC2",
"Blowfish", "IDEA"
# Cipher modes
"ECB", "CBC", "AES/ECB", "AES/CBC", "Mode.ECB"
# Initialization vectors
"iv =", "IV =", "nonce =", "static.*iv", "hardcoded.*iv",
"bytes(16)", "b'\\x00' * 16"
# Weak PRNG
"Math.random(", "random.random(", "random.randint(",
"rand()", "srand(", "java.util.Random", "System.Random"
# Key management
"key =", "encryption_key", "secret_key",
"AES.new(", "Cipher.getInstance(", "crypto.createCipheriv("
# TLS/SSL
"verify=False", "verify_ssl=False", "rejectUnauthorized: false",
"InsecureSkipVerify", "TLSv1", "SSLv3",
"CERT_NONE", "CERT_OPTIONAL"
Vulnerability Patterns
1. Weak Hash for Security:
password_hash = hashlib.md5(password.encode()).hexdigest()
signature = hashlib.sha1(data.encode()).hexdigest()
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
signature = hashlib.sha256(data.encode()).hexdigest()
2. ECB Mode:
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
3. Static IV:
const iv = Buffer.from('0000000000000000');
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-cbc', key, iv);
4. Weak PRNG for Security:
const token = Math.random().toString(36).substring(2);
const token = crypto.randomBytes(32).toString('hex');
5. Disabled Certificate Validation:
requests.get(url, verify=False)
requests.get(url, verify=True)
Severity Classification
- Critical: Disabled certificate validation on auth endpoints, ECB mode for sensitive data, hardcoded encryption keys
- High: MD5/SHA1 for password hashing, static IVs, Math.random for security tokens
- Medium: AES-CBC without HMAC, weak key length, deprecated TLS versions
- Low: MD5/SHA1 for non-security checksums flagged as security issue, weak PRNG in non-security context
Output Format
Finding: CRYPTO-{NNN}
- Title: {Cryptography misuse type}
- Severity: Critical | High | Medium | Low
- Confidence: 0-100
- File: file/path:line
- Vulnerability Type: CWE-327 (Broken Crypto) | CWE-328 (Weak Hash) | CWE-330 (Insufficient Randomness) | CWE-338 (Weak PRNG)
- Description: {What cryptographic weakness was found}
- Impact: Data decryption, signature forgery, token prediction, MitM attacks.
- Remediation: {Use AES-256-GCM, bcrypt/argon2, crypto.randomBytes, proper TLS}
- References: https://cwe.mitre.org/data/definitions/327.html
Common False Positives
- MD5/SHA1 for checksums — file integrity checks, cache keys, non-security hashing
- Math.random for UI — random colors, shuffling non-sensitive lists
- Test certificates — self-signed certs and verify=False in test environments
- Legacy compatibility — documented legacy support with migration plan
- Content hashing — git SHAs, ETag generation, deduplication hashes