java.lang.security.audit.crypto.use-of-sha1.use-of-sha1

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*

Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.

Run Locally

Run in CI

Defintion

rules:
  - id: use-of-sha1
    message: Detected SHA1 hash algorithm which is considered insecure. SHA1 is not
      collision resistant and is therefore not suitable as a cryptographic
      signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512
      for other hash function applications.
    languages:
      - java
    severity: WARNING
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-328: Use of Weak Hash"
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#WEAK_MESSAGE_DIGEST_SHA1
      asvs:
        section: V6 Stored Cryptography Verification Requirements
        control_id: 6.2.5 Insecure Algorithm
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x14-V6-Cryptography.md#v62-algorithms
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    pattern-either:
      - pattern: |
          java.security.MessageDigest.getInstance("SHA1", ...);
      - pattern: |
          $DU.getSha1Digest().digest(...)

Examples

use-of-sha1.java

import java.security.MessageDigest;
import org.apache.commons.codec.digest.DigestUtils;

public class Bad {
  public byte[] bad1(String password) {
      // ruleid: use-of-sha1
      MessageDigest sha1Digest = MessageDigest.getInstance("SHA1");
      sha1Digest.update(password.getBytes());
      byte[] hashValue = sha1Digest.digest();
      return hashValue;
  }
  public byte[] bad2(String password) {
    // ruleid: use-of-sha1
    byte[] hashValue = DigestUtils.getSha1Digest().digest(password.getBytes());
    return hashValue;
  }

  public void bad3() {
      // ruleid: use-of-sha1
      java.security.MessageDigest md = java.security.MessageDigest.getInstance("SHA1", "SUN");
      byte[] input = {(byte) '?'};
      Object inputParam = bar;
      if (inputParam instanceof String) input = ((String) inputParam).getBytes();
      if (inputParam instanceof java.io.InputStream) {
          byte[] strInput = new byte[1000];
          int i = ((java.io.InputStream) inputParam).read(strInput);
          if (i == -1) {
              response.getWriter()
                      .println(
                              "This input source requires a POST, not a GET. Incompatible UI for the InputStream source.");
              return;
          }
          input = java.util.Arrays.copyOf(strInput, i);
      }
      md.update(input);
      byte[] result = md.digest();
      java.io.File fileTarget =
              new java.io.File(
                      new java.io.File(org.owasp.benchmark.helpers.Utils.TESTFILES_DIR),
                      "passwordFile.txt");
      java.io.FileWriter fw =
              new java.io.FileWriter(fileTarget, true); // the true will append the new data
      fw.write(
              "hash_value="
                      + org.owasp.esapi.ESAPI.encoder().encodeForBase64(result, true)
                      + "\n");
      fw.close();
  }
}