PHP : Hardcoded salt
Classification
OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures A4-Insecure Design OWASP MASVS V3: 3.3.(L1/L2/L1+R/L2+R) V8: 8.11.(L1+R/L2+R) V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography Stored Cryptography Authentication Authentication Authentication Authentication Authentication PCI DSS 4.0 3.6.1 6.5.6 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-257 CWE-522 CWE-760 CWE-798 CWE-916 CWE/SANS Top 25 2011 CWE-798 CWE/SANS Top 25 2021 CWE-522 CWE-798Overview
The application computes a hash function using a fixed salt value.
One of the attack methods on a password authentication system uses tables of pre-computed hash values of popular passwords. Salt is an arbitrary string, which is fed into the hash function concatenated with the original data (usually a password) in order to prevent such an attack.
Constant salt hardcoded in the application’s source code may jeopardize the security of the system. At least, the value of the salt is accessible to all the application developers. If the same salt value is used in the final version of the application, it will be possible to remove it only through an update.
Since constant string values are easily extracted from the application by a decompiler, an attacker can gain access to salt value even without an access to the source code of the application.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.
References
- CWE-760: Use of a One-Way Hash with a Predictable Salt
- CWE-798: Use of Hard-coded Credentials
- CWE-916: Use of Password Hash With Insufficient Computational Effort
- OWASP Top 10 2017-A3-Sensitive Data Exposure
- OWASP Top 10 2013-A6-Sensitive Data Exposure
- OWASP: Password Storage Cheat Sheet
- Salt and pepper, please: a note on password storage - blog.filippo.io
- crypt - php.net