Java One Way Hash Without Salt

Description

Identifies instances where MessageDigest is used to hash data without incorporating a salt value. This represents a security weakness since unsalted hashes are vulnerable to precomputed rainbow table attacks, making it easier for attackers to reverse the hashing process.

Weakness:

338 - Insecure service configuration - Salt

Category: Functionality Abuse

Detection Strategy

• Code imports java.security.MessageDigest or java.security.*

• The code calls MessageDigest.digest() method directly

• No update() method is called with a salt value before the digest operation

• The digest operation is used in a context that suggests password or sensitive data hashing

Vulnerable code example

import java.security.MessageDigest;

public String unsafeHash(String password) throws Exception {
    MessageDigest md = MessageDigest.getInstance("SHA-256");
    byte[] hash = md.digest(password.getBytes()); // Vulnerable: hashing without salt makes password susceptible to rainbow table attacks
    return new String(hash);
}

✅ Secure code example

import java.security.MessageDigest;
import java.security.SecureRandom;
import javax.xml.bind.DatatypeConverter;

public String safeHash(String password) throws Exception {
    SecureRandom random = new SecureRandom();
    byte[] salt = new byte[16];
    random.nextBytes(salt); // Generate cryptographically secure random salt...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.