Fixes OWASP/mastg#2585 [MASWE-0021] Weak Hashing #2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sydseter
changed the title
Diolor
suggested changes
Oct 29, 2025
Co-authored-by: Dionysis Lorentzos <ddl449@gmail.com>
Co-authored-by: Dionysis Lorentzos <ddl449@gmail.com>
Updated language for clarity and consistency regarding hashing algorithms and their vulnerabilities.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR completes the documentation for MASWE-0021 (Improper Hashing), transitioning it from placeholder status to a full weakness description. The PR adds comprehensive content covering cryptographic hashing vulnerabilities, their impact, modes of introduction, and mitigation strategies.
Key Changes:
- Added complete weakness documentation with Overview, Impact, Modes of Introduction, and Mitigations sections
- Updated references to include additional NIST and CWE resources
- Changed status from "placeholder" to "new"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
cpholguera
requested changes
Nov 15, 2025
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Co-authored-by: Carlos Holguera <perezholguera@gmail.com>
Collaborator
|
@Diolor could you please take another look? We added a couple of changes. |
Diolor
reviewed
Nov 20, 2025
|
|
||
| ## Overview | ||
|
|
||
| --- |
Collaborator
There was a problem hiding this comment.
i guess no need
Suggested change
| --- |
Comment on lines
41
to
43
| - **Loss of authenticity**: A hashing algorithm, known to be vulnerable to collision attacks, may compromise the authenticity of the data as it allows for two data sources to be identical. | ||
| - **Loss of integrity**: Algorithms that are susceptible to length extension attacks may allow an attacker to compromise the integrity of the data by appending data to the original data source. | ||
| - **Loss of confidentiality**: A hashing algorithm, known to be vulnerable to pre-image attacks, increases the likelihood that encrypted data can be leaked through using cryptoanalysis or brute-force. |
Collaborator
There was a problem hiding this comment.
Suggested change
| - **Loss of authenticity**: A hashing algorithm, known to be vulnerable to collision attacks, may compromise the authenticity of the data as it allows for two data sources to be identical. | |
| - **Loss of integrity**: Algorithms that are susceptible to length extension attacks may allow an attacker to compromise the integrity of the data by appending data to the original data source. | |
| - **Loss of confidentiality**: A hashing algorithm, known to be vulnerable to pre-image attacks, increases the likelihood that encrypted data can be leaked through using cryptoanalysis or brute-force. | |
| - **Loss of integrity**: A hashing algorithm that is susceptible to length extension or collision attacks may compromise the integrity. | |
| - **Loss of confidentiality**: A hashing algorithm that is susceptible to pre-image attacks may compromise encrypted data through cryptoanalysis. | |
| - **Loss of authenticity**: A hashing algorithm that is susceptible to collision attacks, when used with MAC, HMAC, or digital signatures, may compromise the authenticity of the data. |
|
|
||
| ## Overview | ||
|
|
||
| Using deprecated, risky, or broken hash algorithms may compromise data integrity and make offline attacks practical. In mobile apps this often appears in three areas: hashing for integrity of local data, hashing of passwords or PINs, and hashing or deriving keys from low-entropy identifiers. Weak or misused hash functions allow adversaries to tamper with data, find collisions, recover secrets, or brute force hashed values. |
Collaborator
There was a problem hiding this comment.
This WE and WE-24 (and potentially more) overlap: hashes are used by MACs. We need to address the weak issue only once. Here seems to be the best place and reference other WEs back to here when needed.
Suggested change
| Using deprecated, risky, or broken hash algorithms may compromise data integrity and make offline attacks practical. In mobile apps this often appears in three areas: hashing for integrity of local data, hashing of passwords or PINs, and hashing or deriving keys from low-entropy identifiers. Weak or misused hash functions allow adversaries to tamper with data, find collisions, recover secrets, or brute force hashed values. | |
| Hashes have a wide range of applications. In mobile apps, they may notably appear in areas like: | |
| - Hashing for the integrity, such as local data | |
| - Hashing for storage of passwords or PINs | |
| - Key derivation functions (KDFs) | |
| - MACs | |
| - Signatures (such as the ones used in JWTs) |
The other content I removed reads like a repetition of "impact"
Comment on lines
+29
to
+31
| Hash functions that no longer provide adequate [collision](https://en.wikipedia.org/wiki/Collision_attack) or [preimage](https://en.wikipedia.org/wiki/Preimage_attack) resistance, such as MD5 and SHA-1, enable adversaries to craft different inputs that produce the same hash or to recover the original input more efficiently than brute force. Similarly, using generic fast hash functions for low-entropy inputs like passwords, PINs, device identifiers, or email addresses allows practical offline brute force or dictionary attacks. | ||
|
|
||
| Hash-based KDFs such as HKDF are suitable only when the input secret already has high entropy. They are not appropriate as substitutes for password hashing functions because they do not provide work factors or memory hardness. |
Collaborator
There was a problem hiding this comment.
Let's follow the above suggestion and distinguish hash usages, thus different attacks.
Suggested change
| Hash functions that no longer provide adequate [collision](https://en.wikipedia.org/wiki/Collision_attack) or [preimage](https://en.wikipedia.org/wiki/Preimage_attack) resistance, such as MD5 and SHA-1, enable adversaries to craft different inputs that produce the same hash or to recover the original input more efficiently than brute force. Similarly, using generic fast hash functions for low-entropy inputs like passwords, PINs, device identifiers, or email addresses allows practical offline brute force or dictionary attacks. | |
| Hash-based KDFs such as HKDF are suitable only when the input secret already has high entropy. They are not appropriate as substitutes for password hashing functions because they do not provide work factors or memory hardness. | |
| Depending on their usage and the construction of the hash algorithm, weak hashes may enable different attacks such as collision (classic i.e. birthday attack or Chosen-prefix collision), preimage, precomputed dictionary (rainbow table), and length extension. | |
| Notably, MD5 and SHA-1 are considered weak algorithms for most of the above usages. For example, they are both vulnerable or risky to use against all the above attacks. |
I removed the specifics as this would lead to "need" all 5 usages, attacks, and specifics. We should balance length with content and include further reads per attack (e.g. wiki, NIST).
Comment on lines
+35
to
+37
| - **Account compromise**: Storing passwords, PINs, tokens, or other low-entropy secrets using fast generic hash functions such as SHA-256 allows attackers who obtain the hashes to perform offline brute force attacks and recover credentials. | ||
| - **Loss of integrity**: If an app uses a collision-prone or structurally weak hash to protect configuration files or offline data, an attacker may modify the data and still pass integrity checks by generating a colliding value. | ||
| - **Loss of confidentiality**: If encryption keys or key encryption keys are derived by hashing low-entropy input, such as device identifiers or user passwords, attackers can brute force the hash, recover the key, and decrypt protected data. |
Collaborator
There was a problem hiding this comment.
Just noticed in G-Doc guidelines some predefined impacts. Could you maybe use those?
| - **Using non-resource-intensive algorithms on low-entropy input**: For example hashing passwords or PINs with a single SHA-256 call instead of using a proper password hashing function with salt and work factor. | ||
| - **Using unsafe or overly short truncation of hashes**: For instance truncating a message digest to below recommended lengths reduces its security strength. [NIST SP 800-107 Rev 1](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf) indicates: "The length of truncated message digests used shall be at least twice the desired security strength required for the digital signature". | ||
|
|
||
| ## Mitigations |
Collaborator
There was a problem hiding this comment.
Let's see how we form overview + impact and we can form "modes of introduction" and "mitigations", but we should have one mitigation per one mode of introduction.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR closes #2585
Description
See issue for details
[x] I have read the contributing guidelines.
Guidelines for Pull Requests (you can delete this section after reading):