Typescript Sensitive Information Weak Md5

Description

Identifies usage of weak MD5 hashing algorithm in TypeScript code which could expose sensitive data to hash cracking attacks. MD5 is cryptographically broken and should not be used for secure hashing of sensitive information.

Weakness:

263 - Insecure encryption algorithm - MD5

Category: Information Collection

Detection Strategy

• Scans for imports and usage of crypto modules (Node's 'crypto' or 'crypto-js' library)

• Detects MD5 hash creation through patterns like crypto.createHash('md5').update() or CryptoJS.MD5()

• Checks if the data being hashed comes from variables or inputs that may contain sensitive information

• Reports a vulnerability when MD5 is used to hash potentially sensitive data

Vulnerable code example

import * as crypto from "crypto";

function hashPassword(password: string): string {
  // VULNERABLE: Using MD5 which is cryptographically broken and unsuitable for password hashing
  return crypto.createHash("md5").update(password).digest("hex");
}

✅ Secure code example

import bcrypt from "bcrypt";

async function hashPassword(password: string): Promise<string> {
  // SECURE: Using bcrypt with cost factor 12 for strong password hashing with automatic salt
  return await bcrypt.hash(password, 12);
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.