Java Insecure Hash Algorithm
Description
Detects usage of cryptographically weak hash algorithms (like MD5, SHA-1) in Java applications through common libraries like Apache Commons Codec and Google Guava. These algorithms are considered cryptographically broken and should not be used for security purposes as they are vulnerable to collision attacks.
Detection Strategy
• Check for method calls to insecure hashing functions from Apache Commons Codec (e.g., DigestUtils.md5(), DigestUtils.sha1())
• Check for method calls to insecure hashing functions from Google Guava library (e.g., Hashing.md5(), Hashing.sha1())
• Check for usage of weak Java security specifications like MGF1ParameterSpec.SHA1
• Identify calls to deprecated hash functions including MD2, MD5, SHA-1, CRC32, and Adler32
Vulnerable code example
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
public class CryptoVulnerabilities {
public void insecureEncryption() throws Exception {
// Vulnerable: DES is a weak encryption algorithm
Cipher c1 = Cipher.getInstance("DES");...✅ Secure code example
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.crypto.spec.GCMParameterSpec;
import java.security.MessageDigest;
public class CryptoVulnerabilities {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.