Avoid use of a reversible one-way hash

CRITICAL

Rule Definition
This weakness is especially dangerous when the hash is used in security algorithms that require the one-way property to hold. For example, if an authentication system takes an incoming password and generates a hash, then compares the hash to another hash that it has stored in its authentication database, then the ability to create a collision could allow an attacker to provide an alternate password that produces the same target hash, bypassing authentication.

Remediation
Use a recommended hash method. Example: SHA-2.

Violation Code Sample

Sample 1: --------- String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); } Sample 2: -------- String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("MD5"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); }

Fixed Code Sample

Sample 1: --------- String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA-256"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); } Sample 2: -------- String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA-512"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash if (equal(digest,secret_password())) { login_user(); }

Reference

CWE-328 http://cwe.mitre.org/data/definitions/328.html

Related Technologies

Health Factor

Total Quality Index

Technical Criterion
Secure Coding - Weak Security Features

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

64.62%

IT & Business Consulting

95.52%

Don't Know

72.34%

Want more stats? Register now!