SV.AUTH.HASH.MIGHT
Use of weak cryptographic algorithm
The SV.AUTH.HASH checkers detect whenever the MD5 hashing technique is used with the username/password fetched from the servlet's request. If username is used, then Klocwork reports an SV.AUTH.HASH.MIGHT defect. If password is used to generate MD5, then Klocwork reports an SV.AUTH.HASH.MUST defect.
Vulnerability and risk
The use of a weak cryptographic algorithm weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even the ability to execute arbitrary code.
Vulnerable code example 1
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String userName = request.getParameter("userName"); //Source
String md5 = getMd5(userName);
...
}
public static String getMd5(String str)
{
try {
MessageDigest md = MessageDigest.getInstance("MD5"); //SV.WEAK.CRYPT
byte[] messageDigest = md.digest(str.getBytes()); //SV.AUTH.HASH.MIGHT - Sink
//...
}
In this example, Klocwork reports an SV.AUTH.HASH.MIGHT on line 11, indicating, "Use of risky MD5 hash with username can lead to authentication bypass.".
Fixed code example 1
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String userName = request.getParameter("userName");
String md5 = getMd5(userName);
...
}
public static String getMd5(String str)
{
try {
MessageDigest md = MessageDigest.getInstance("SHA3-256");
byte[] messageDigest = md.digest(str.getBytes());
//...
}
In the fixed example, Klocwork no longer reports a defect because a safer hashing technique is used.
Related checkers
External guidance
Security training
Application security training materials provided by Secure Code Warrior.