Typescript Insecure Hash Sha1
Description
Identifies usage of cryptographically weak hash functions (specifically SHA1) in TypeScript code. SHA1 is considered cryptographically broken and can lead to hash collisions, making it unsuitable for security-critical operations like password hashing or digital signatures.
Detection Strategy
• Detects import statements or require calls that include SHA1 hashing libraries
• Identifies function calls or method invocations that use SHA1 hashing operations
• Reports a vulnerability when SHA1 is used in cryptographic operations like password hashing or signature generation
• Checks for common SHA1 implementation patterns including crypto.createHash('sha1') and similar constructs
Vulnerable code example
import sha1 from "js-sha1";
// Using SHA-1 hash is cryptographically insecure due to known collisions
sha1("password");
sha1.hex("sensitive-data");
sha1.array("user-input");✅ Secure code example
const crypto = require('crypto');
// Using SHA-256 instead of SHA-1 for stronger cryptographic security
const hash = crypto.createHash('sha256').update("password").digest('hex');
const hashHex = crypto.createHash('sha256').update("sensitive-data").digest('hex');
const hashArray = Buffer.from(crypto.createHash('sha256').update("user-input").digest());Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.