Groovy : Hardcoded salt
Classification
Overview
One of the attack methods on a password authentication system uses tables of pre-computed hash values of popular passwords. Salt is an arbitrary string, which is fed into the hash function concatenated with the original data (usually a password) in order to prevent such an attack.
Constant salt hardcoded in the application’s source code may jeopardize the security of the system. At least, the value of the salt is accessible to all the application developers. If the same salt value is used in the final version of the application, it will be possible to remove it only through an update.
Since constant string values are easily extracted from the application by a decompiler, an attacker can gain access to salt value even without an access to the source code of the application.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.
References
- CWE-760: Use of a One-Way Hash with a Predictable Salt
- CWE-798: Use of Hard-coded Credentials
- CWE-916: Use of Password Hash With Insufficient Computational Effort
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- OWASP: Password Storage Cheat Sheet
- Salt & pepper, please: a note on password storage - blog.filippo.io