Home / Vulnerability Database / Java : Use of a one-way hash with a predictable Salt
Java
Java : Use of a one-way hash with a predictable Salt
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
OWASP MASVS
HIPAA
Overview
One of the attack methods on a password authentication system uses tables of pre-computed hash values of popular passwords. Salt is an arbitrary string, which is fed into the hash function concatenated with the original data (usually a password) in order to prevent such an attack.
The application uses predictable salt as part of the input data, which can jeopardize system security. Since a predictable pseudo-random number generator is used to produce salt, the attacker may know the value of the salt.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.
References
- CWE-760: Use of a One-Way Hash with a Predictable Salt
- OWASP: Password Storage Cheat Sheet
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- Salt & pepper, please: a note on password storage - blog.filippo.io
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
MEDIUM
DerScanner Severity Score
Do you want to fix Java : Use of a one-way hash with a predictable Salt in your application?
See also
Java
Java : Race condition
Java
Java : Text4Shell Vulnerability
Java