Scala Insecure Hash Algorithm
Description
Detects the use of cryptographically weak hash algorithms in Scala code through MessageDigest.getInstance() calls. Using weak hash algorithms like MD5 or SHA-1 can make applications vulnerable to collision attacks and preimage attacks, potentially compromising data integrity and security.
Detection Strategy
• Identifies calls to MessageDigest.getInstance() method (including fully qualified versions)
• Examines the first argument passed to getInstance() which specifies the hash algorithm name
• Reports a vulnerability when insecure hash algorithms (like MD5, SHA-1) are requested
• Recognizes different ways of referencing the MessageDigest class including 'java.security.MessageDigest', 'security.MessageDigest' and direct 'MessageDigest' usage
Vulnerable code example
import java.security.MessageDigest
import javax.crypto.KeyGenerator
object WeakCrypto {
def main(args: Array[String]): Unit = {
// Weak crypto: DES is a legacy algorithm with small key space
val desKeyGen = KeyGenerator.getInstance("DES").generateKey()
...✅ Secure code example
import java.security.MessageDigest
import javax.crypto.KeyGenerator
object SecureCrypto {
def main(args: Array[String]): Unit = {
// Secure crypto: AES with 256-bit key (industry standard)
val aesKeyGen = KeyGenerator.getInstance("AES")
aesKeyGen.init(256) // Explicitly set key size to 256 bits...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.