javascript.lang.security.audit.md5-used-as-password.md5-used-as-password
returntocorpAuthor
unknown
Download Count*
License
It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the bcrypt node.js package.
Run Locally
Run in CI
Defintion
rules:
- id: md5-used-as-password
message: It looks like MD5 is used as a password hash. MD5 is not considered a
secure password hash because it can be cracked by an attacker in a short
amount of time. Use a suitable password hashing function such as bcrypt.
You can use the `bcrypt` node.js package.
metadata:
category: security
technology:
- crypto
- md5
references:
- https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html
- https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
- https://github.com/returntocorp/semgrep-rules/issues/1609
- https://www.npmjs.com/package/bcrypt
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
languages:
- javascript
severity: WARNING
mode: taint
pattern-sources:
- pattern: $CRYPTO.createHash("md5")
pattern-sinks:
- patterns:
- pattern: $FUNCTION(...);
- metavariable-regex:
metavariable: $FUNCTION
regex: (?i)(.*password.*)
Examples
md5-used-as-password.js
const crypto = require("crypto");
function ex1(user, pwtext) {
digest = crypto.createHash("md5").update(pwtext).digest("hex");
// ruleid: md5-used-as-password
user.setPassword(digest);
}
function ok1(user, pwtext) {
digest = crypto.createHash("sha256").update(pwtext).digest("hex");
// ok: md5-used-as-password
user.setPassword(digest);
}
Short Link: https://sg.run/GOEn