Fluid Attacks Database

Description

Identifies usage of insecure cryptographic hash functions (specifically SHA-1) in JavaScript code. SHA-1 is cryptographically broken and can lead to hash collisions, making it unsuitable for security-critical operations like password hashing or digital signatures.

Weakness:

052 - Insecure encryption algorithm

Category: Information Collection

Detection Strategy

• Scans JavaScript code for usage of SHA-1 hashing algorithm in crypto operations

• Detects SHA-1 usage through common crypto libraries and direct algorithm specifications

• Reports a vulnerability when SHA-1 is used in cryptographic operations instead of more secure alternatives like SHA-256 or SHA-3

Vulnerable code example

const myCryptoLibrary = require("js-sha1")

// Vulnerable: Using SHA-1 hash function which is cryptographically broken
myCryptoLibrary("");
myCryptoLibrary.hex("");
myCryptoLibrary.array("");
myCryptoLibrary.digest("");
myCryptoLibrary.arrayBuffer('');

✅ Secure code example

const crypto = require('crypto'); // Using Node.js native crypto

// Safe: Using SHA-256 instead of cryptographically broken SHA-1
function secureHash(data) {
    const hash = crypto.createHash('sha256'); // Modern, cryptographically secure hash
    return hash.update(data).digest('hex');
}
...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.