Use of weak hash
Description
Detected usage of weak crypto function. Consider using stronger alternatives like those provided by the Sodium library in PHP.
Examples
Insecure Code
php
$hash = md5('password');Secure Code
php
$hash = hash('sha256', 'password', true);Remediation
Replace weak crypto functions (crypt, md5, md5_file, sha1, sha1_file, str_rot13) with stronger alternatives from the Sodium library or other secure cryptographic libraries.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0747 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-328 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | insecure hashing, weak crypto |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |
References
- https://www.php.net/manual/en/book.sodium.php
- https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php