Php Hardcoded Salt In Hash
Description
Detects the use of hardcoded or static salt values in PHP's hash_pbkdf2 function. Using a predictable or hardcoded salt undermines the security of password hashing by making it vulnerable to precomputed rainbow table attacks.
Detection Strategy
• Identify calls to PHP's hash_pbkdf2 function
• Examine the third parameter (salt) of the function call
• Flag cases where the salt is a hardcoded string literal
• Flag cases where the salt is a variable that can be traced back to a hardcoded string assignment
Vulnerable code example
<?php
// VULNERABLE: Salt is an inline string literal
function unsafe_inline_salt(string $password): string
{
return hash_pbkdf2('sha256', $password, 'static_salt', 100000);
}
...✅ Secure code example
<?php
// SAFE: Salt generated from random_bytes()
function safe_random_bytes(string $password): string
{
$salt = random_bytes(16);
return hash_pbkdf2('sha256', $password, $salt, 100000);
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.