diff --git a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
index cd3f86f6bed..74c8582dca8 100644
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.qhelp
@@ -12,7 +12,7 @@ data.</p>
 </overview>
 <recommendation>
 
-<p>Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048.</p>
+<p>Ensure that you use a strong, modern cryptographic algorithm. Use at least AES-128 or RSA-2048. Do not use the ECB encryption mode since it is vulnerable to reply attacks.</p>
 
 </recommendation>
 <example>
diff --git a/java/ql/src/semmle/code/java/security/Encryption.qll b/java/ql/src/semmle/code/java/security/Encryption.qll
index ea7a33151f8..29ad9a3cfaf 100644
--- a/java/ql/src/semmle/code/java/security/Encryption.qll
+++ b/java/ql/src/semmle/code/java/security/Encryption.qll
@@ -97,7 +97,9 @@ string getAnInsecureAlgorithmName() {
   result = "RC2" or
   result = "RC4" or
   result = "RC5" or
-  result = "ARCFOUR" // a variant of RC4
+  result = "ARCFOUR" or // a variant of RC4
+  result = "ECB" or // encryption mode ECB like AES/ECB/NoPadding is vulnerable to replay attacks
+  result = "AES/CBC/PKCS5Padding" // CBC mode of operation with PKCS#5 (or PKCS#7) padding is vulnerable to padding oracle attacks
 }
 
 /**
diff --git a/java/ql/test/library-tests/Encryption/Test.java b/java/ql/test/library-tests/Encryption/Test.java
index e5a1996f28c..e010eaf5849 100644
--- a/java/ql/test/library-tests/Encryption/Test.java
+++ b/java/ql/test/library-tests/Encryption/Test.java
@@ -10,7 +10,10 @@ class Test {
 			"des",
 			"des_function",
 			"function_using_des",
-			"EncryptWithDES");
+			"EncryptWithDES",
+			"AES/ECB/NoPadding",
+			"AES/CBC/PKCS5Padding");
+
 
 	List<String> goodStrings = Arrays.asList(
 			"AES",
diff --git a/java/ql/test/library-tests/Encryption/insecure.expected b/java/ql/test/library-tests/Encryption/insecure.expected
index 1e9728f0fcd..1bc1dc71e4d 100644
--- a/java/ql/test/library-tests/Encryption/insecure.expected
+++ b/java/ql/test/library-tests/Encryption/insecure.expected
@@ -3,3 +3,5 @@
 | Test.java:11:4:11:17 | "des_function" |
 | Test.java:12:4:12:23 | "function_using_des" |
 | Test.java:13:4:13:19 | "EncryptWithDES" |
+| Test.java:14:4:14:22 | "AES/ECB/NoPadding" |
+| Test.java:15:4:15:25 | "AES/CBC/PKCS5Padding" |