Scala Hash Without Salt
Description
Detects when cryptographic hashing is implemented without using salt in Scala applications. Using hash functions without salt makes the hashes vulnerable to rainbow table attacks and precomputed hash lookups, significantly weakening the security of stored password hashes or other sensitive data.
Detection Strategy
• Identifies imports of java.security.MessageDigest or java.security.* packages
• Looks for direct usage of digest() method calls in the code
• Checks that strong hashing algorithms are being used (non-weak digest implementations)
• Verifies if the code is missing proper update() method calls which would indicate salt usage
• Reports a vulnerability when hashing is used without evidence of salt being applied
Vulnerable code example
import java.security.MessageDigest
object PasswordHasher {
def hashPassword(password: String): String = {
val md = MessageDigest.getInstance("SHA-256")
// VULNERABLE: Password hashed without salt, vulnerable to rainbow table attacks
val hashedBytes = md.digest(password.getBytes("UTF-8"))
bytesToHex(hashedBytes)...✅ Secure code example
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
import org.springframework.security.crypto.password.PasswordEncoder
object PasswordHasher {
// Use BCrypt which automatically handles salt generation and secure hashing
private val encoder: PasswordEncoder = new BCryptPasswordEncoder()
def hashPassword(password: String): String = {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.