SV.AUTH.HASH.MUST

Use of weak cryptographic algorithm

The SV.AUTH.HASH checkers detect whenever the MD5 hashing technique is used with the username/password fetched from the servlet's request. If username is used, then Klocwork reports an SV.AUTH.HASH.MIGHT defect. If password is used to generate MD5, then Klocwork reports an SV.AUTH.HASH.MUST defect.

As of release 2023.2, this checker supports Jakarta EE.

Vulnerability and risk

The use of a weak cryptographic algorithm weakness can lead to the exposure of resources or functionality to unintended actors, possibly providing attackers with sensitive information or even the ability to execute arbitrary code.

Vulnerable code example 1

Copy 
  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       String password = request.getParameter("password"); //Source
       String md5 = getMd5(password);
       ...
  }
  public static String getMd5(String str)
  {
   try {
       MessageDigest md = MessageDigest.getInstance("MD5"); //SV.WEAK.CRYPT
      byte[] messageDigest = md.digest(str.getBytes()); //SV.AUTH.HASH.MUST - Sink
      //...
  }

In this example, Klocwork reports an SV.AUTH.HASH.MUST on line 10, indicating, "Use of risky MD5 hash with password can lead to authentication bypass".

Fixed code example 1

Copy 
  public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
       String password = request.getParameter("password"); //Source
       String md5 = getMd5(password);
       ...
  }
  public static String getMd5(String str)
  {
   try {
       MessageDigest md = MessageDigest.getInstance("SHA3-256");
      byte[] messageDigest = md.digest(str.getBytes());
      //...
  }

In the fixed example, Klocwork no longer reports a defect because a safer hashing technique is used.

External guidance

Security training

Application security training materials provided by Secure Code Warrior.