Use of weak hash
Description
The SHA-1 hashing algorithm is no longer considered secure for cryptographic applications due to its vulnerability to collision attacks, where two different inputs produce the same output hash. SHA-1's susceptibility to collision attacks undermines the security of cryptographic operations, allowing attackers to forge signatures or manipulate data without detection. This poses significant risks in authentication systems, data integrity validations, and secure communications.
Examples
Insecure Code
javascript
const crypto = require('crypto'); const hash = crypto.createHash('sha1').update('sensitive data').digest('hex');Secure Code
javascript
const crypto = require('crypto'); const hash = crypto.createHash('sha256').update('sensitive data').digest('hex');Remediation
Replace the SHA1 hashing algorithm with stronger cryptographic hash functions, such as SHA-256 or SHA-3.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0354 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-328 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | hashing, collision attack |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |