php.lang.security.weak-crypto.weak-crypto

semgrep

Author

4,191

Download Count*

LGPL Commons Clause

License

Detected usage of weak crypto function. Consider using stronger alternatives.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: weak-crypto
    patterns:
      - pattern: $FUNC(...);
      - metavariable-regex:
          metavariable: $FUNC
          regex: crypt|md5|md5_file|sha1|sha1_file|str_rot13
    message: Detected usage of weak crypto function. Consider using stronger
      alternatives.
    metadata:
      cwe:
        - "CWE-328: Use of Weak Hash"
      references:
        - https://www.php.net/manual/en/book.sodium.php
        - https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php
      category: security
      technology:
        - php
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insecure Hashing Algorithm
    languages:
      - php
    severity: ERROR

Examples

weak-crypto.php

<?php

// ruleid: weak-crypto
$hashed_password = crypt('mypassword');

// ruleid: weak-crypto
$hashed_password = md5('mypassword');

// ruleid: weak-crypto
$hashed_password = md5_file('filename.txt');

// ruleid: weak-crypto
$hashed_password = sha1('mypassword');

// ruleid: weak-crypto
$hashed_password = sha1_file('filename.txt');

// ruleid: weak-crypto
$hashed_password = str_rot13('totally secure');

// ok: weak-crypto
$hashed_password = sodium_crypto_generichash('mypassword');

Short Link: https://sg.run/KlBn