Scala Hardcoded Salt In Hash
Description
Detects the usage of hardcoded salt values in password-based encryption and hashing functions in Scala code. Using hardcoded salts eliminates the security benefits of salt values in cryptographic operations, making password hashes vulnerable to precomputation attacks like rainbow tables.
Detection Strategy
• Identifies instantiations of PBEKeySpec or PBEParameterSpec classes where the salt parameter is hardcoded
• Detects calls to SCrypt.scrypt() function where the salt argument is a hardcoded value
• Checks if salt arguments are derived from string literals or static array initializers
• Reports a vulnerability when salt values are not generated randomly or dynamically at runtime
Vulnerable code example
import javax.crypto.SecretKeyFactory
import javax.crypto.spec.PBEKeySpec
object CryptoExample {
def generateKey(password: String): Array[Byte] = {
val salt = "12345678".getBytes // Vulnerable: Using hardcoded salt instead of random salt
val spec = new PBEKeySpec(password.toCharArray, salt, 65536, 128)
val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256")...✅ Secure code example
import javax.crypto.SecretKeyFactory
import javax.crypto.spec.PBEKeySpec
import java.security.SecureRandom
object CryptoExample {
def generateKey(password: String): Array[Byte] = {
val random = new SecureRandom()
val salt = new Array[Byte](16) // Using 16 bytes (128 bits) for salt...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.