Stats
Actions
Tags
From vuln-scout
Detects cryptographic failures like weak hashing (MD5/SHA1), hardcoded secrets, insecure randomness in Python, Java, Go, PHP, TypeScript code using grep patterns for whitebox pentesting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vuln-scout:cryptographic-failuresThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Provide detection patterns for cryptographic vulnerabilities including weak algorithms, hardcoded secrets, insufficient key lengths, and insecure random number generation.
Provide detection patterns for cryptographic vulnerabilities including weak algorithms, hardcoded secrets, insufficient key lengths, and insecure random number generation.
Category: A02 - Cryptographic Failures
CWEs:
Activate this skill when:
# MD5 usage (broken for security)
grep -rniE "md5\(|MD5\.|hashlib\.md5|MessageDigest.*MD5|crypto\.MD5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# SHA1 usage (deprecated for security)
grep -rniE "sha1\(|SHA1\.|hashlib\.sha1|MessageDigest.*SHA-1|crypto\.SHA1" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Password hashing with weak algorithms
grep -rniE "password.*md5|password.*sha1|hash.*password.*md5" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Weak hashing
grep -rniE "hashlib\.md5|hashlib\.sha1" --include="*.py"
# Should use: bcrypt, argon2, scrypt
grep -rniE "bcrypt|argon2|scrypt" --include="*.py"
Vulnerable:
# VULNERABLE: MD5 for passwords
password_hash = hashlib.md5(password.encode()).hexdigest()
Secure:
# SAFE: bcrypt for passwords
password_hash = bcrypt.hashpw(password.encode(), bcrypt.gensalt())
# Weak MessageDigest
grep -rniE "MessageDigest\.getInstance.*MD5|MessageDigest\.getInstance.*SHA-1" --include="*.java"
# Should use: BCrypt, Argon2, PBKDF2
grep -rniE "BCrypt|Argon2|PBKDF2|SecretKeyFactory" --include="*.java"
# Weak crypto imports
grep -rniE "crypto/md5|crypto/sha1" --include="*.go"
# Should use: bcrypt, argon2
grep -rniE "golang\.org/x/crypto/bcrypt|golang\.org/x/crypto/argon2" --include="*.go"
# Weak hashing
grep -rniE "md5\(|sha1\(" --include="*.php"
# Should use: password_hash
grep -rniE "password_hash|PASSWORD_BCRYPT|PASSWORD_ARGON2" --include="*.php"
# Weak crypto
grep -rniE "createHash.*md5|createHash.*sha1" --include="*.ts"
# Should use: bcrypt
grep -rniE "bcrypt\.hash|argon2" --include="*.ts"
# DES (broken)
grep -rniE "DES|DESede|TripleDES" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# RC4 (broken)
grep -rniE "RC4|ARC4|ARCFOUR" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# ECB mode (insecure)
grep -rniE "ECB|AES/ECB|MODE_ECB" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Blowfish (deprecated)
grep -rniE "Blowfish|BLOWFISH" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
| Weak | Secure Alternative |
|---|---|
| DES | AES-256 |
| 3DES | AES-256 |
| RC4 | ChaCha20 or AES-GCM |
| ECB mode | GCM or CBC with HMAC |
| Blowfish | AES-256 |
| RSA-1024 | RSA-2048+ or ECDSA |
# API keys
grep -rniE "api[_-]?key\s*[=:]\s*['\"][a-zA-Z0-9]{16,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Passwords
grep -rniE "password\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Secret keys
grep -rniE "secret[_-]?key\s*[=:]\s*['\"][^'\"]+['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# AWS credentials
grep -rniE "AKIA[0-9A-Z]{16}|aws_secret_access_key" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"
# Private keys
grep -rniE "BEGIN RSA PRIVATE KEY|BEGIN PRIVATE KEY|BEGIN EC PRIVATE KEY" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.pem"
# JWT secrets
grep -rniE "jwt[_-]?secret\s*[=:]\s*['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Long alphanumeric strings (potential secrets)
grep -rniE "['\"][a-zA-Z0-9+/=]{32,}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# JavaScript/TypeScript - Math.random (NOT cryptographically secure)
grep -rniE "Math\.random\(\)" --include="*.ts" --include="*.js"
# Python - random module (NOT cryptographically secure)
grep -rniE "import random|from random|random\.random|random\.randint" --include="*.py"
# Java - java.util.Random (NOT cryptographically secure)
grep -rniE "new Random\(\)|java\.util\.Random" --include="*.java"
# PHP - rand/mt_rand (NOT cryptographically secure)
grep -rniE "rand\(|mt_rand\(" --include="*.php"
# Go - math/rand (NOT cryptographically secure)
grep -rniE "math/rand|rand\.Intn|rand\.Int\(" --include="*.go"
| Language | Insecure | Secure |
|---|---|---|
| Python | random.random() | secrets.token_bytes() |
| Java | java.util.Random | java.security.SecureRandom |
| Go | math/rand | crypto/rand |
| JavaScript | Math.random() | crypto.randomBytes() |
| PHP | rand(), mt_rand() | random_bytes(), random_int() |
# RSA key size (should be 2048+)
grep -rniE "RSA.*1024|keysize.*1024|KeyPairGenerator.*1024" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# AES key size (should be 256 for sensitive data)
grep -rniE "AES.*128|aes-128" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# HMAC key size
grep -rniE "hmac.*key.*['\"][a-zA-Z0-9]{1,15}['\"]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
| Algorithm | Minimum | Recommended |
|---|---|---|
| RSA | 2048 bits | 4096 bits |
| AES | 128 bits | 256 bits |
| ECDSA | 256 bits | 384 bits |
| HMAC | 256 bits | 512 bits |
# Static/zero IV
grep -rniE "iv\s*=\s*['\"]0{16,}['\"]|iv\s*=\s*bytes\(16\)|iv.*\[0,0,0" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Reused nonce
grep -rniE "nonce\s*=\s*['\"]|static.*nonce|const.*nonce" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Plaintext password storage
grep -rniE "password\s*=\s*request|user\.password\s*=\s*" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# HTTP instead of HTTPS
grep -rniE "http://[^localhost]|http://[^127\.0\.0\.1]" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php"
# Unencrypted database connection
grep -rniE "sslmode=disable|useSSL=false|ssl=false" --include="*.go" --include="*.py" --include="*.java" --include="*.ts" --include="*.php" --include="*.env"
# Go - Skip TLS verification
grep -rniE "InsecureSkipVerify\s*:\s*true" --include="*.go"
# Python - Disable SSL verification
grep -rniE "verify\s*=\s*False|CERT_NONE" --include="*.py"
# Java - Trust all certificates
grep -rniE "TrustAllCerts|X509TrustManager|checkServerTrusted.*return" --include="*.java"
# Node.js - Reject unauthorized false
grep -rniE "rejectUnauthorized\s*:\s*false|NODE_TLS_REJECT_UNAUTHORIZED" --include="*.ts" --include="*.js"
# PHP - Disable SSL verification
grep -rniE "CURLOPT_SSL_VERIFYPEER\s*=>\s*false|verify_peer.*false" --include="*.php"
# Python - Argon2 (recommended)
from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)
// Java - BCrypt
String hash = BCrypt.hashpw(password, BCrypt.gensalt(12));
// Go - bcrypt
hash, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
# Python - AES-GCM
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)
nonce = os.urandom(12) # Random nonce
ciphertext = aesgcm.encrypt(nonce, plaintext, None)
# Python - Secure random
import secrets
token = secrets.token_hex(32)
| CWE | Name | Example |
|---|---|---|
| CWE-326 | Inadequate Encryption | RSA-1024 |
| CWE-327 | Broken Crypto | MD5, DES, RC4 |
| CWE-328 | Reversible Hash | MD5 for passwords |
| CWE-330 | Insufficient Randomness | Math.random for tokens |
| CWE-338 | Weak PRNG | rand() for crypto |
| CWE-798 | Hardcoded Credentials | API keys in code |
npx claudepluginhub allsmog/vuln-scout --plugin whitebox-pentestDetects weak or broken cryptography: weak password hashing, non-cryptographic PRNG for tokens, hardcoded keys, and insecure encryption modes.
Analyzes PHP code for cryptography vulnerabilities like weak algorithms, hardcoded keys, insecure random, poor key management, and deprecated functions. Ideal for PHP security audits.
Prevents writing cryptographically broken primitives (MD5/SHA1 for passwords, DES/RC4, static IVs). Refuses edits and proposes secure alternatives like bcrypt, AES-GCM, and proper JWT verification.