Typescript Sensitive Information Weak Sha1

Description

Detects usage of SHA1 hashing algorithm which is cryptographically broken and unsuitable for sensitive data. Using SHA1 for hashing sensitive information like passwords or tokens poses a security risk since collisions can be generated, potentially allowing attackers to create malicious data with the same hash.

Weakness:

262 - Insecure encryption algorithm - SHA1

Category: Information Collection

Detection Strategy

• Identifies imports or requires of 'crypto' or 'crypto-js' modules in TypeScript code

• Detects calls to crypto.createHash('sha1').update() from the native crypto module

• Detects usage of CryptoJS.SHA1() from the crypto-js library

• Flags the vulnerability when SHA1 is used with data parameters that could contain sensitive information

Vulnerable code example

import crypto from "crypto";

function hashPassword(password: string): string {
  // Vulnerable: Using SHA-1 which is cryptographically broken for security purposes
  return crypto.createHash("sha1").update(password).digest("hex");
}

✅ Secure code example

import bcrypt from "bcrypt";

async function hashPassword(password: string): Promise<string> {
  // Safe: Using bcrypt with cost factor 12 for slow, salted password hashing
  return await bcrypt.hash(password, 12);
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.