Typescript Insecure Hash Md4
Description
Detects usage of MD4 hash function in TypeScript code, which is cryptographically broken and should not be used in security contexts. MD4 is vulnerable to collision attacks and preimage attacks, making it unsuitable for password hashing, digital signatures, or other security use cases.
Detection Strategy
• Check for import or usage of MD4 hash function in TypeScript source code
• Look for function calls or references to 'MD4' in crypto-related operations
• Report vulnerability when MD4 hash function is used for cryptographic purposes
• Look for specific patterns like 'createHash('md4')', 'MD4.hash()', or similar MD4 instantiations
Vulnerable code example
const crypto = require('crypto');
function hashData(input) {
// Security issue: Using RSA-MD4 which is cryptographically broken and unsafe
const hash = crypto.createHash('RSA-MD4');
hash.update(input);
return hash.digest('hex');
}...✅ Secure code example
const crypto = require('crypto');
function hashData(input) {
// Using SHA-256 which is cryptographically secure
const hash = crypto.createHash('sha256');
hash.update(input);
return hash.digest('hex');
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.