Stats
Actions
Tags
From acc
Analyzes PHP code for cryptography vulnerabilities like weak algorithms, hardcoded keys, insecure random, poor key management, and deprecated functions. Ideal for PHP security audits.
How this skill is triggered — by the user, by Claude, or both
Slash command
/acc:check-crypto-usageThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Analyze PHP code for cryptographic vulnerabilities.
Analyze PHP code for cryptographic vulnerabilities.
// CRITICAL: Broken for passwords
$hash = md5($password);
$hash = sha1($password);
$hash = hash('sha256', $password);
$hash = crypt($password, '$1$salt$'); // MD5-based
// CRITICAL: No salt
$hash = hash('sha256', $password); // Rainbow table attack
// CORRECT:
$hash = password_hash($password, PASSWORD_ARGON2ID);
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
// CRITICAL: Deprecated algorithms
$encrypted = mcrypt_encrypt(MCRYPT_DES, $key, $data);
$encrypted = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data);
// CRITICAL: ECB mode
$encrypted = openssl_encrypt($data, 'aes-256-ecb', $key);
// VULNERABLE: RC4, Blowfish, 3DES
$encrypted = openssl_encrypt($data, 'des-ede3-cbc', $key);
// CORRECT:
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, 0, $iv, $tag);
// CRITICAL: Key in source code
$key = 'my-secret-key-12345';
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key);
// CRITICAL: IV hardcoded
$iv = '1234567890123456';
// CRITICAL: Key derived from password directly
$key = $password; // Should use key derivation function
// CRITICAL: Predictable random
$token = rand();
$token = mt_rand();
$token = uniqid();
$token = time();
$token = microtime();
// CRITICAL: Weak seed
srand(time());
mt_srand(getmypid());
// CORRECT:
$token = bin2hex(random_bytes(32));
$token = random_int(1, 1000000);
// CRITICAL: Key stored with encrypted data
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);
file_put_contents('data.enc', $encrypted . "\n" . $key);
// CRITICAL: Same key for all users
$key = GLOBAL_ENCRYPTION_KEY;
$encrypted = encrypt($userData, $key);
// CRITICAL: Key in database with encrypted data
$user->setEncryptionKey($key);
$user->setEncryptedData($encrypted);
// VULNERABLE: Encryption without authentication
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);
// No MAC/tag - susceptible to bit-flipping
// CORRECT: Authenticated encryption
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, 0, $iv, $tag);
// Or use sodium_crypto_aead_*
// CRITICAL: No IV
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key);
// CRITICAL: Reused IV
static $iv = null;
if (!$iv) $iv = random_bytes(16);
$encrypted = openssl_encrypt($data, 'aes-256-cbc', $key, 0, $iv);
// CRITICAL: IV from predictable source
$iv = str_pad($userId, 16, '0');
// CORRECT:
$iv = random_bytes(openssl_cipher_iv_length('aes-256-cbc'));
// CRITICAL: mcrypt is deprecated (removed PHP 7.2+)
mcrypt_encrypt();
mcrypt_decrypt();
mcrypt_create_iv();
// CRITICAL: create_function (code injection + deprecated)
create_function('$a', 'return $a;');
// VULNERABLE: Non-constant-time comparison
if ($userToken === $storedToken) { }
if (strcmp($a, $b) === 0) { }
// CORRECT:
if (hash_equals($storedToken, $userToken)) { }
// CRITICAL: Disabled SSL verification
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
// CRITICAL: In stream context
$context = stream_context_create([
'ssl' => ['verify_peer' => false]
]);
# Weak hashing
Grep: "md5\(|sha1\(|crypt\(" --glob "**/*.php"
# Weak encryption
Grep: "mcrypt_|MCRYPT_|des-|rc4|blowfish" -i --glob "**/*.php"
# Hardcoded keys
Grep: "(key|secret|password)\s*=\s*['\"][^'\"]{8,}['\"]" -i --glob "**/*.php"
# Weak random
Grep: "rand\(|mt_rand\(|uniqid\(" --glob "**/*.php"
# Disabled SSL
Grep: "SSL_VERIFYPEER.*false|verify_peer.*false" --glob "**/*.php"
# Non-constant-time comparison
Grep: "===.*token|\$token\s*===" --glob "**/*.php"
| Pattern | Severity |
|---|---|
| MD5/SHA1 for passwords | 🔴 Critical |
| Hardcoded encryption keys | 🔴 Critical |
| Disabled SSL verification | 🔴 Critical |
| Predictable random | 🔴 Critical |
| ECB mode encryption | 🟠 Major |
| Missing integrity check | 🟠 Major |
| Timing attack | 🟠 Major |
| Reused IV | 🟠 Major |
$hash = password_hash($password, PASSWORD_ARGON2ID, [
'memory_cost' => 65536,
'time_cost' => 4,
'threads' => 3
]);
// Or bcrypt
$hash = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);
// Use libsodium (built into PHP 7.2+)
$key = sodium_crypto_secretbox_keygen();
$nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$encrypted = sodium_crypto_secretbox($data, $nonce, $key);
// Or OpenSSL with GCM
$iv = random_bytes(12);
$encrypted = openssl_encrypt($data, 'aes-256-gcm', $key, 0, $iv, $tag);
$bytes = random_bytes(32);
$int = random_int(1, 100);
$key = sodium_crypto_pwhash(
32,
$password,
$salt,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE,
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE
);
### Cryptography Issue: [Description]
**Severity:** 🔴/🟠/🟡
**Location:** `file.php:line`
**CWE:** CWE-327 (Use of Broken Crypto Algorithm)
**Issue:**
[Description of the cryptographic weakness]
**Attack Vector:**
[How attacker exploits this]
**Code:**
```php
// Vulnerable code
Fix:
// Secure cryptography
npx claudepluginhub dykyi-roman/awesome-claude-code --plugin accDetects cryptographic failures like weak hashing (MD5/SHA1), hardcoded secrets, insecure randomness in Python, Java, Go, PHP, TypeScript code using grep patterns for whitebox pentesting.
Detects weak or broken cryptography: weak password hashing, non-cryptographic PRNG for tokens, hardcoded keys, and insecure encryption modes.
Scans Python and configuration files for cryptographic weaknesses: deprecated algorithms, insecure modes, hardcoded keys, weak entropy, and TLS misconfigurations. Use during security assessments or compliance reviews.