CWE-760: Use of a One-Way Hash with a Predictable Salt

What is Use of a One-Way Hash with a Predictable Salt?

• Overview: Use of a One-Way Hash with a Predictable Salt occurs when a software product uses a cryptographic hash to secure data, like passwords, but incorporates a salt that is predictable. This predictability makes the hash more vulnerable to attacks.

• Exploitation Methods:

• Attackers can exploit this vulnerability by pre-computing hash values using techniques like rainbow tables, allowing them to reverse the hash to find the original password.
• Common attack patterns include dictionary attacks, where attackers use precomputed tables of hash values for common passwords combined with predictable salts.

• Security Impact:

• Direct consequences of successful exploitation include unauthorized access to user accounts and sensitive data.
• Potential cascading effects include further system compromise if the attacker gains elevated access through cracked credentials.
• Business impact can involve data breaches, loss of customer trust, and potential legal consequences.

• Prevention Guidelines:

• Specific code-level fixes include using a cryptographic hash function with a strong, unique, and sufficiently random salt for each password.
• Security best practices involve implementing adaptive hash functions like bcrypt, Argon2, or PBKDF2 that are designed to be computationally expensive.
• Recommended tools and frameworks include using libraries that provide secure password hashing functions, ensuring salts are generated using secure random number generators.

Corgea can automatically detect and fix Use of a One-Way Hash with a Predictable Salt in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not specified

Affected Technologies: Not specified

In cryptography, salt refers to some random addition of data to an input before hashing to make dictionary attacks more difficult.