C Sharp Insecure Hash Usage
Description
Detects the use of cryptographically weak or broken hash algorithms in C# code that could lead to hash collisions or preimage attacks. Using algorithms like MD5 or SHA1 for security-sensitive operations like password hashing or digital signatures poses a significant security risk as these algorithms are considered cryptographically broken.
Detection Strategy
• Check for direct references to cryptographically weak hash algorithms in C# code
• Flag usages of deprecated algorithms like MD5.Create(), SHA1.Create(), or similar weak hash function calls
• Report a vulnerability when code attempts to use known insecure hashing mechanisms through their member access expressions
Vulnerable code example
using System.Security.Cryptography;
class InsecureCrypto
{
public void DemonstrateBadCrypto()
{
// Vulnerable: MD5 is cryptographically broken and unsuitable for secure hashing
MD5 md5Hash = MD5.Create();...✅ Secure code example
using System.Security.Cryptography;
class SecureCrypto
{
public void DemonstrateSecureCrypto()
{
// Secure: SHA256 is cryptographically strong for hashing
using SHA256 sha256Hash = SHA256.Create();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.