Audit required: Insecure hash function PTC-W1003
Use of insecure hashlib.md5 hash function
133 chart_basic_info = "\n".join(
134 [f"{c[0]}: {charts[i].get(c[1])}" for c in chart_info.items()]
135 )
136 result_id: str = hashlib.md5(i.encode()).hexdigest()137 items.append(
138 InlineQueryResultArticle(
139 id=result_id,Use of insecure hashlib.md5 hash function
104async def find_music(inline_query: InlineQuery):
105 text = inline_query.query
106
107 result_id: str = hashlib.md5(text.encode()).hexdigest()108 score = {}
109 for i in music_name:
110 score[i] = fuzz.token_sort_ratio(text, i.lower())
Description
D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to collision attacks. Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
A hash function takes a variable-length digital input and coverts it into a fixed-length random hash value.
Hasing algorthems like MD5 and SHA-1 are vulnerable to collision attacks. In a collision attack an attacker finds two messages with the same hashed output and sends the incorrect one to the receiver.
It is recommended to use safer alternatives, such as SHA-256, SHA-512, SHA-3.
Bad practice
import hashlib
import Crypto
m1 = hashlib.md5() # Insecure, Use of MD5
m2 = hashlib.sha1() # Insecure, Use of SHA1
m3 = Crypto.Hash.MD5.new() # Insecure, Use of MD5
Recommended
import hashlib
import Crypto
m1 = hashlib.sha512()
m2 = hashlib.sha256()
m3 = Crypto.Hash.SHA256.new()
References:
- OWASP Top 10 2021 Category A02 - Cryptographic Failures
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE 327 - Use of a Broken or Risky Cryptographic Algorithm
- Breaking MD5 and other hash functions