Weak Hash Algorithm

Weak hash algorithm vulnerabilities arise when outdated or insufficiently secure hashing algorithms are used, making systems susceptible to threats such as hash collisions or preimage attacks.

This often involves the use of algorithms like MD5 or SHA-1.

Hardcoding cryptographic keys in source code is a risky practice as it exposes sensitive information that should remain secret. The concern arises because hardcoded keys are not modifiable without a code change, making them an attractive target for attackers who can access the source code or binaries.

For example, using MD5 to hash passwords in a PHP application:

In this example, MD5’s vulnerability to collision attacks allows attackers to craft inputs that match an existing hash, potentially masquerading as legitimate users or accessing sensitive data undetected.

To remediate this vulnerability, cryptographic keys should be managed securely, never hardcoding them in source code. Instead, use environmental variables, configuration files, or dedicated secrets management services that provide secure storage and retrieval of sensitive data.

An alternative is to perform cryptographic operations using an external, managed service. Known as Key Management Services (KMS), they provide different features including key generation and storage, key rotation and lifecycle management, encryption / decryption and other cryptographic operations like digital signatures, key wrapping, secure random number generation, etc.

The detector has the following configurable parameters: