/
md5-used-as-password.yaml
47 lines (47 loc) · 1.56 KB
/
md5-used-as-password.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
rules:
- id: md5-used-as-password
severity: WARNING
message: >-
It looks like MD5 is used as a password hash. MD5 is not considered a
secure password hash because it can be cracked by an attacker in a short
amount of time. Use a suitable password hashing function such as scrypt.
You can use `hashlib.scrypt`.
languages: [python]
metadata:
cwe:
- 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
references:
- https://tools.ietf.org/html/rfc6151
- https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision
- https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html
- https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords
- https://github.com/returntocorp/semgrep-rules/issues/1609
- https://docs.python.org/3/library/hashlib.html#hashlib.scrypt
category: security
technology:
- pycryptodome
- hashlib
- md5
subcategory:
- vuln
likelihood: HIGH
impact: LOW
confidence: MEDIUM
mode: taint
pattern-sources:
- patterns:
- pattern-either:
- pattern: hashlib.md5
- pattern: hashlib.new(..., name="MD5", ...)
- pattern: Cryptodome.Hash.MD5
- pattern: Crypto.Hash.MD5
- pattern: cryptography.hazmat.primitives.hashes.MD5
pattern-sinks:
- patterns:
- pattern: $FUNCTION(...)
- metavariable-regex:
metavariable: $FUNCTION
regex: (?i)(.*password.*)