Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2053

Hashes should include an unpredictable salt

    Details

    • Message:
      Hide
      * Add an unpredictable salt value to this rule.
      * Make this salt unpredictable.
      * Make this salt longer.
      Show
      * Add an unpredictable salt value to this rule. * Make this salt unpredictable. * Make this salt longer.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, C, C++, Java, Python, VB.Net
    • Covered Languages:
      PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Scope:
      Main Sources, Test Sources
    • Implementation details:
    • Common Rule:
      Yes
    • CWE:
      CWE-759, CWE-760
    • OWASP:
      A3
    • SANS Top 25:
      Porous Defenses
    • Fortify:
      weak_cryptographic_hash_predictable_salt

      Description

      In cryptography, "salt" is extra piece of data which is included in a hashing algorithm. It makes dictionary attacks more difficult. Using a cryptographic hash function without an unpredictable salt increases the likelihood that an attacker will be able to successfully guess a hashed value such as a password with a dictionary attack.

      This rule raises an issue when a hashing function which has been specifically designed for hashing sensitive data, such as pbkdf2, is used with a non-random, reused or too short salt value. It does not raise an issue on base hashing algorithms such as sha1 or md5 as these are often used for other purposes.

      Recommended Secure Coding Practices

      • use hashing functions generating their own salt or generate a long random salt of at least 32 bytes.
      • the salt is at least as long as the resulting hash value.
      • provide the salt to a safe hashing function such as PBKDF2.
      • save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored hash.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2054 Language-Specification Active Unassigned
          2.
          PHP RSPEC-4714 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                ann.campbell.2 Ann Campbell
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: