Typescript Hardcoded Salt In Hash
Description
Detects when cryptographic hash functions use hardcoded salt values instead of randomly generated ones. Using fixed salt values significantly reduces the security of hashed data by making them vulnerable to rainbow table attacks and precomputation attacks.
Detection Strategy
• Identifies variable declarations that involve hash operations or hash-related functions
• Checks if the salt parameter or value used in the hash operation is a hardcoded constant rather than a randomly generated value
• Reports a vulnerability when a hash function call includes a static/fixed salt value in its parameters
• Examines variables and function calls that create or modify hash values to find hardcoded salt instances
Vulnerable code example
import { createHash } from "crypto";
function hashPassword(password) {
const hash = createHash('sha512');
hash.update("FIXED_SALT_123"); // Vulnerable: Using hardcoded salt reduces security
hash.update(password);
return hash.digest('hex');
}✅ Secure code example
import { pbkdf2Sync, randomBytes } from 'crypto';
function hashPassword(password) {
const salt = randomBytes(16); // Generate cryptographically random salt
// Use PBKDF2 with 100000 iterations for slow hashing resistant to brute-force
const hash = pbkdf2Sync(password, salt, 100000, 64, 'sha512');
return {
hash: hash.toString('hex'),...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.