Usage of weak hashing library (MD5)

• Rule ID: javascript_lang_weak_hash_md5
• Languages: javascript
• Source: weak_hash_md5.yml

Description

Using a weak hashing library like MD5 increases the risk of data breaches. MD5 is vulnerable to collision attacks, where two different inputs produce the same output, compromising data integrity and security.

Remediations

• Do not use MD5 for hashing or security purposes. It is no longer considered secure for cryptographic applications.
• Do opt for stronger hashing algorithms like SHA-256 for enhanced security.

  const crypto = require("crypto");
  
  const key = "secret key";
  const hash = crypto.createHmac("sha256", key).update(user.password).digest('hex');

References

• NodeJS Crypto Module

Associated CWE

• CWE-328: Use of Weak Hash

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_weak_hash_md5

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_weak_hash_md5