SV.AUTH.HASH.MIGHT

Use of weak cryptographic algorithm

The SV.AUTH.HASH checkers detect whenever the MD5 hashing technique is used with the username/password fetched from the servlet's request. If username is used, then Klocwork reports an SV.AUTH.HASH.MIGHT defect. If password is used to generate MD5, then Klocwork reports an SV.AUTH.HASH.MUST defect.

As of release 2023.2, this checker supports Jakarta EE.

Vulnerability and risk

The use of a weak cryptographic algorithm weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even the ability to execute arbitrary code.

Vulnerable code example 1

Copy
  public void doGet(HttpServletRequest request, HttpServletResponse response) 
    throws ServletException, IOException {
     String userName = request.getParameter("userName"); //Source
     String md5 = getMd5(userName);
     ...
  }
  public static String getMd5(String str)
     {
         try {
             MessageDigest md = MessageDigest.getInstance("MD5"); //SV.WEAK.CRYPT
             byte[] messageDigest = md.digest(str.getBytes());   //SV.AUTH.HASH.MIGHT - Sink
             //...
     }

In this example, Klocwork reports an SV.AUTH.HASH.MIGHT on line 11, indicating, "Use of risky MD5 hash with username can lead to authentication bypass.".

Fixed code example 1

Copy
  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       String userName = request.getParameter("userName");
       String md5 = getMd5(userName);
       ...
  }
  public static String getMd5(String str)
  {
   try {
       MessageDigest md = MessageDigest.getInstance("SHA3-256");
      byte[] messageDigest = md.digest(str.getBytes());
      //...
  }

In the fixed example, Klocwork no longer reports a defect because a safer hashing technique is used.

Related checkers

Security training

Application security training materials provided by Secure Code Warrior.