CWE-759: Use of a One-Way Hash without a Salt

What is Use of a One-Way Hash without a Salt?

• Overview: Use of a One-Way Hash without a Salt (CWE-759) occurs when a cryptographic hash function is used on sensitive inputs like passwords without incorporating a unique, random value (salt), making it susceptible to pre-computed attacks.

• Exploitation Methods:

• Attackers can exploit this vulnerability through dictionary attacks and by using pre-computed hash tables, such as rainbow tables, to quickly find matching hashes.
• Common attack patterns include using massive computing resources to perform offline password cracking on exposed hashed values.

• Security Impact:

• Direct consequences include unauthorized access to user accounts if passwords are cracked.
• Potential cascading effects include compromised data integrity and confidentiality across systems using the same hashing practice.
• Business impact could involve data breaches, loss of customer trust, legal liabilities, and financial penalties.

• Prevention Guidelines:

• Specific code-level fixes include always using a salt with your hashing functions, ensuring each salt is unique and random for each password.
• Security best practices involve employing adaptive hash functions like bcrypt, scrypt, or Argon2 that are computationally expensive.
• Recommended tools and frameworks include using well-established libraries for password storage, such as Password-Based Key Derivation Function 2 (PBKDF2) or built-in password hashing functions provided by secure libraries.

Corgea can automatically detect and fix Use of a One-Way Hash without a Salt in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not specified

Affected Technologies: Not specified

In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.