Javascript Sensitive Information Weak Md5

Description

Detects the use of MD5 hashing algorithm with potentially sensitive data in JavaScript code. MD5 is cryptographically broken and should not be used for securing sensitive information as it is vulnerable to collision attacks and is considered cryptographically weak.

Weakness:

263 - Insecure encryption algorithm - MD5

Category: Information Collection

Detection Strategy

• Identifies imports or requires of 'crypto' or 'crypto-js' modules

• Detects calls to crypto.md5.update() from the native crypto module

• Detects calls to CryptoJS.MD5() from the crypto-js library

• Checks if the MD5 hash function is being used with data that could be sensitive

• Reports a vulnerability when MD5 hashing is used in a security context

Vulnerable code example

const crypto = require('crypto');

function hashPassword(password) {
    return crypto.createHash('md5').update(password).digest('hex'); // VULNERABLE: Using MD5 hash which is cryptographically broken
}

✅ Secure code example

const crypto = require('crypto');

function hashPassword(password) {
    const salt = crypto.randomBytes(16); // Generate cryptographically secure salt
    return crypto.pbkdf2Sync(password, salt, 310000, 32, 'sha256').toString('hex') + 
           ':' + salt.toString('hex'); // Store salt with hash for verification
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.