Usage of weak encryption algorithm (RC4)

• Rule ID: javascript_lang_weak_encryption_rc4
• Languages: javascript
• Source: weak_encryption_rc4.yml

Description

Using the RC4 (Rivest Cipher 4) encryption algorithm introduces a significant security vulnerability. RC4 is outdated and has been proven to be susceptible to various attacks, making any data encrypted with it vulnerable to unauthorized access and compromise.

Remediations

• Do not use RC4 for encrypting data. Its weaknesses can lead to compromised data security.
• Do opt for stronger, more secure encryption algorithms like AES-256 when encrypting data. This ensures a higher level of security for your data.

  const crypto = require("crypto");
  
  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
  const encrypted = cipher.update("my secret message", "utf8");

References

• NodeJS Crypto Module

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_encryption_rc4

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_encryption_rc4