Usage of weak hashing library (SHA-1)

Overview

• Rule ID: javascript_lang_weak_hash_sha1

• Applicable Languages: Javascript

• Weakness ID: CWE-328

Description

Using a weak hashing library such as SHA-1 heightens the risk of data breaches. SHA-1 is especially prone to collision attacks, where distinct inputs can generate the same hash value, thereby compromising data integrity and security.

Remediation Guidelines

• Do not use SHA-1 for hashing. It's no longer considered secure against well-funded attackers.

  Copy

  const hash = crypto.createHmac("sha1", key).update(user.password); // unsafe
  

• Do use stronger hashing algorithms like SHA-256 or SHA-3 for enhanced security.

  Copy

  const hash = crypto.createHmac("sha256", key).update(user.password);
  

References

• NodeJS Crypto Module

• CWE-328: Use of Weak Hash

• OWASP Top 10: A02:2021 - Cryptographic Failures

Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our SAST TOOL