DerScanner
Home / Vulnerability Database / C-sharp : Empty salt
C#

C-sharp : Empty salt

Classification

OWASP Top 10 2013
A6-Sensitive Data Exposure
OWASP Top 10 2017
A3-Sensitive Data Exposure
OWASP Top 10 2021
A2-Cryptographic Failures
OWASP MASVS
V3: 3.3.(L1/L2/L1+R/L2+R)V8: 8.13.(L1+R/L2+R)
OWASP ASVS
AuthenticationAuthenticationAuthenticationAuthenticationAuthentication
PCI DSS 4.0
3.6.16.5.66.2.48.3.2
HIPAA
§164.312 (a)(2)(iv)
CWE
CWE-759CWE-916
CWE/SANS Top 25 2011
CWE-759

Overview

One of the attack methods on a password authentication system uses tables of pre-computed hash values of popular passwords. Salt is an arbitrary string, which is fed into the hash function concatenated with the original data (usually a password) in order to prevent such an attack.

Constant salt hardcoded in the application’s source code may jeopardize the security of the system. At least, the value of the salt is accessible to all the application developers. If the same salt value is used in the final version of the application, it will be possible to remove it only through an update.

Using an empty string as a salt is equivalent to hashing without using salt.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. CWE-759: Use of a One-Way Hash without a Salt
  2. CWE-916: Use of Password Hash With Insufficient Computational Effort
  3. OWASP Top 10 2017-A3-Sensitive Data Exposure
  4. OWASP Top 10 2013-A6-Sensitive Data Exposure
  5. OWASP: Password Storage Cheat Sheet
  6. Salt & pepper, please: a note on password storage - blog.filippo.io
CRITICAL

DerScanner Severity Score

Do you want to fix C-sharp : Empty salt in your application?

See also

C#

C-sharp : JWT: None Algorithm

C#

C-sharp : Insecure data transmission: Database

C#

C-sharp : Only one of method Equals() and GetHashCode() defined