Javascript Bcrypt Unsafe Empty Password

Description

This detector identifies unsafe bcrypt hashing operations in JavaScript code where empty or null passwords might be passed to the bcrypt.hash() function. Empty passwords create weak or predictable hashes that can compromise authentication security, as they provide no actual protection against unauthorized access.

Weakness:

363 - Weak credential policy - Password strength

Category: Unexpected Injection

Detection Strategy

• Scans JavaScript source code for imports or requires of the 'bcrypt' library

• Identifies all calls to the bcrypt.hash() method (using the library's default alias)

• Flags bcrypt.hash() calls where the password parameter could be empty, null, or undefined

• Reports the vulnerability when bcrypt hashing is attempted with potentially empty password values

Vulnerable code example

const bcrypt = require('bcrypt');

async function vulnerableBcryptEmpty() {
    const hash = await bcrypt.hash(
        "", // Vulnerable: hashing empty password allows authentication bypass
        10
    );
    return hash;...

✅ Secure code example

const bcrypt = require('bcrypt');

async function secureBcryptWithValidation(password) {
    if (!password || password.length === 0) {
        throw new Error("Password must not be empty"); // Prevent authentication bypass
    }
    const hash = await bcrypt.hash(
        password, // Safe: validated non-empty password...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.