Use of weak hash
Description
The MD5 hashing algorithm is considered cryptographically weak and vulnerable to collision attacks, where two different inputs generate the same output hash. When used for hashing sensitive data, attackers can exploit this weakness to generate collisions, allowing them to bypass security checks or masquerade malicious data as legitimate. This vulnerability is particularly critical in authentication mechanisms, digital signatures, SSL/TLS certificates, and data integrity checks.
Examples
Insecure Code
javascript
const crypto = require('crypto'); const hash = crypto.createHash('md5').update('sensitive data').digest('hex');Secure Code
javascript
const crypto = require('crypto'); const hash = crypto.createHash('sha256').update('sensitive data').digest('hex');Remediation
Replace the MD5 hashing algorithm with stronger cryptographic hash functions, such as SHA-256 or SHA-3.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0353 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-328 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | hashing, collision attacks |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |