Details

    • Message:
      Make sure that hashing data is safe here.
    • Highlighting:
      Hide

      The hashing function call

      Show
      The hashing function call
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      APEX, C, C++, Cobol, Go, Kotlin, Objective-C, PL/I, PL/SQL, Ruby, Rust, Scala, Swift, T-SQL, TypeScript, VB6
    • Covered Languages:
      ABAP, C#, Java, JavaScript, PHP, Python, VB.Net
    • Irrelevant for Languages:
      HTML, XML
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-759, CWE-760, CWE-916, CWE-328, CWE-327
    • OWASP:
      A3, A6
    • SANS Top 25:
      Porous Defenses
    • FindSecBugs:
      WEAK_MESSAGE_DIGEST_MD5, WEAK_MESSAGE_DIGEST_SHA1

      Description

      Hashing data is security-sensitive. It has led in the past to the following vulnerabilities:

      Cryptographic hash functions are used to uniquely identify information without storing their original form. When not done properly, an attacker can steal the original information by guessing it (ex: with a rainbow table), or replace the original data with another one having the same hash.

      This rule flags code that initiates hashing.

      Ask Yourself Whether

      • the hashed value is used in a security context.
      • the hashing algorithm you are using is known to have vulnerabilities.
      • salts are not automatically generated and applied by the hashing function.
      • any generated salts are cryptographically weak or not credential-specific.

      You are at risk if you answered yes to the first question and any of the following ones.

      Recommended Secure Coding Practices

      • for security related purposes, use only hashing algorithms which are currently known to be strong. Avoid using algorithms like MD5 and SHA1 completely in security contexts.
      • do not define your own hashing- or salt algorithms as they will most probably have flaws.
      • do not use algorithms that compute too quickly, like SHA256, as it must remain beyond modern hardware capabilities to perform brute force and dictionary based attacks.
      • use a hashing algorithm that generate its own salts as part of the hashing. If you generate your own salts, make sure that a cryptographically strong salt algorithm is used, that generated salts are credential-specific, and finally, that the salt is applied correctly before the hashing.
      • save both the salt and the hashed value in the relevant database record; during future validation operations, the salt and hash can then be retrieved from the database. The hash is recalculated with the stored salt and the value being validated, and the result compared to the stored hash.
      • the strength of hashing algorithms often decreases over time as hardware capabilities increase. Check regularly that the algorithms you are using are still considered secure. If needed, rehash your data using a stronger algorithm.

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-4843 Language-Specification Active Unassigned
          2.
          C# RSPEC-4940 Language-Specification Active Unassigned
          3.
          PHP RSPEC-4956 Language-Specification Active Unassigned
          4.
          VB.NET RSPEC-5006 Language-Specification Active Unassigned
          5.
          JavaScript RSPEC-5081 Language-Specification Active Unassigned
          6.
          TypeScript RSPEC-5464 Language-Specification Active Unassigned
          7.
          Python RSPEC-5230 Language-Specification Active Unassigned
          8.
          ABAP RSPEC-5295 Language-Specification Active Unassigned

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                nicolas.harraudeau Nicolas Harraudeau
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated: