Usage of Weak Hashing library (MD5)

Overview

Rule ID: java_lang_weak_hash_md5
Applicable Languages: Java
Weakness ID: CWE-328

Description

Using a weak hashing algorithm such as MD5 heightens the risk of data breaches. MD5 is susceptible to collision attacks, where different inputs generate the same hash, undermining data integrity and security.

Remediation Guidelines

Do not use MD5 for hashing purposes. This algorithm is no longer considered secure and can compromise data integrity.
```
MessageDigest md = MessageDigest.getInstance("MD5"); // unsafe
```
Do opt for stronger hashing algorithms like SHA-256 to ensure data security.
```
MessageDigest md = MessageDigest.getInstance("SHA-256");
```

References

Java MessageDigest class
CWE-328: Use of Weak Hashtion
OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL

PreviousUsage of Weak Hashing Library on a Password (SHA-1)NextSAST JavaScript Rules

Last updated 8 months ago