Javascript Hardcoded Salt In Hash
Description
Detects when cryptographic hashing functions in JavaScript code use hardcoded salt values instead of randomly generated ones. Using static/hardcoded salts weakens the security of password hashing since it makes the hashes predictable and vulnerable to precomputed attacks like rainbow tables.
Detection Strategy
• Identifies JavaScript code where cryptographic hash functions are used (e.g. crypto.createHash)
• Checks if the salt parameter or value used in the hashing operation is a hardcoded string or constant
• Reports a vulnerability when hash operations use static/predefined salt values instead of randomly generated ones
• Example of vulnerable code: crypto.createHash('sha256').update(password + 'staticSalt')
Vulnerable code example
const crypto = require('crypto');
function hashPassword(password) {
// UNSAFE: Using hardcoded salt makes password hashes predictable
return crypto.createHash('sha256').update(password + "HARDCODED_SALT").digest('hex');
}✅ Secure code example
const crypto = require('crypto');
function hashPassword(password) {
// Generate unique random salt for each password
const salt = crypto.randomBytes(16);
// Use PBKDF2 with high iterations for slow hashing
return new Promise((resolve, reject) => {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.