Predictable initialization vector detected.

Rule ID: php_lang_cbc_predictable_iv
Languages: php
Source: cbc_predictable_iv.yml

Description

Applications using encryption with Cipher Block Chaining (CBC) mode must not use a predictable Initialization Vector (IV). Using a predictable IV facilitates dictionary attacks.

Remediations

❌ Avoid using a static Initialization Vector:

openssl_encrypt($data, "aes-256-cbc", iv: "literal-iv");

Associated CWE

CWE-329: Generation of Predictable IV with CBC Mode

OWASP Top 10

A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_cbc_predictable_iv

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_cbc_predictable_iv

Ready to take the next step? Learn more about Bearer Cloud.