Javascript Sensitive Information Weak Sha1

Description

Detects the use of SHA-1 hashing algorithm, which is cryptographically broken and should not be used for securing sensitive information. SHA-1 collisions have been demonstrated, making it unsuitable for security-critical applications like password hashing or digital signatures.

Weakness:

262 - Insecure encryption algorithm - SHA1

Category: Information Collection

Detection Strategy

• Identifies calls to SHA-1 hashing functions from the Node.js 'crypto' module using pattern 'crypto.createHash("sha1").update()'

• Detects usage of SHA-1 from the crypto-js library through calls to 'CryptoJS.SHA1()'

• Reports a vulnerability when SHA-1 hashing is used with data that could be sensitive (like passwords, tokens, or credentials)

• Checks import aliases for both 'crypto' and 'crypto-js' modules to catch different import patterns

Vulnerable code example

const crypto = require('crypto');

function hashPassword(password) {
    return crypto.createHash('sha1')  // Vulnerable: SHA-1 is cryptographically broken
        .update(password)
        .digest('hex');
}

✅ Secure code example

const crypto = require('crypto');

function hashPassword(password) {
    const salt = crypto.randomBytes(16);  // Generate cryptographically strong salt
    const iterations = 310000;  // OWASP recommended minimum iterations
    
    const hash = crypto.pbkdf2Sync(
        password,...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.