Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4790

Using weak hashing algorithms is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure this weak hash algorithm is not used in a sensitive context here.
    • Highlighting:
      Hide

      The hashing function call

      Show
      The hashing function call
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      APEX, Cobol, Go, Kotlin, PL/I, Ruby, Rust, Scala, T-SQL, VB6
    • Covered Languages:
      ABAP, C#, C, C++, Java, JavaScript, Objective-C, PHP, PL/SQL, Python, Swift, TypeScript, VB.Net
    • Irrelevant for Languages:
      HTML, XML
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-916, CWE-327, CWE-328
    • OWASP:
      A3, A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      WEAK_MESSAGE_DIGEST_MD5, WEAK_MESSAGE_DIGEST_SHA1
    • FxCop:
      CA5384

      Description

      Cryptographic hash algorithms such as MD2, MD4, MD5, MD6, HAVAL-128, HMAC-MD5, DSA (which uses SHA-1), RIPEMD, RIPEMD-128, RIPEMD-160, HMACRIPEMD160 and SHA-1 are no longer considered secure, because it is possible to have collisions (little computational effort is enough to find two or more different inputs that produce the same hash).

      Ask Yourself Whether

      The hashed value is used in a security context like:

      • User-password storage.
      • Security token generation (used to confirm e-mail when registering on a website, reset password, etc ...).
      • To compute some message integrity.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      Safer alternatives, such as SHA-256, SHA-512, SHA-3 are recommended, and for password hashing, it's even better to use algorithms that do not compute too "quickly", like bcrypt, scrypt, argon2 or pbkdf2 because it slows down brute force attacks.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4843 Language-Specification Active Unassigned
          2.
          C# RSPEC-4940 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4956 Language-Specification Active Unassigned
          4.
          VB.NET RSPEC-5006 Language-Specification Active Unassigned
          5.
          JavaScript RSPEC-5081 Language-Specification Active Unassigned
          6.
          Python RSPEC-5230 Language-Specification Active Unassigned
          7.
          ABAP RSPEC-5295 Language-Specification Active Unassigned
          8.
          Swift RSPEC-5984 Language-Specification Active Unassigned
          9.
          T-SQL RSPEC-5985 Language-Specification Active Unassigned
          10.
          C-Family RSPEC-6053 Language-Specification Active Unassigned
          11.
          Kotlin RSPEC-6238 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              nicolas.harraudeau Nicolas Harraudeau (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: