Skip to content

Adding requests dependencies#10

Open
carmithersh wants to merge 1 commit intomainfrom
Checking-older-versions
Open

Adding requests dependencies#10
carmithersh wants to merge 1 commit intomainfrom
Checking-older-versions

Conversation

@carmithersh
Copy link
Collaborator

@carmithersh carmithersh commented May 28, 2024

No description provided.

@github-actions
Copy link

github-actions bot commented May 28, 2024

🚨 Frogbot scanned this pull request and found the below:

github-actions[bot]
github-actions bot reviewed May 28, 2024
View reviewed changes
pythonExample/pythonProj.py
encrypted_password = cipher.encrypt(password.encode('utf-8'))
return hashlib.md5(encrypted_password).hexdigest()
encrypted_passcode = cipher.encrypt(password.encode('utf-8'))
return hashlib.md5(encrypted_passcode).hexdigest()
Copy link

@github-actions github-actions bot May 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Medium		 Unsafe Hash Algorithm
Full description

Overview

An unsafe hash algorithm vulnerability occurs when using a known insecure hash algorithm.
A hash algorithm accepts arbitrary input and generates a hash value - a fixed-length output
that can be used to verify the integrity of data, such as passwords or files.
An insecure hash algorithm in an algorithm that an attacker can use to generate
the same hash value for different input data within a reasonable amount of time
("hash collision attack").

Query operation

In this query we look for any usage of weak hash algorithms

Vulnerable example

from flask import Flask, request
import hashlib

app = Flask(__name__)

@app.route('/login', methods=['POST'])
def login():
    username = request.form.get('username')
    password = request.form.get('password')

    # Vulnerable hashing mechanism (MD5)
    hashed_password = hashlib.md5(password.encode()).hexdigest()

    if check_password(username, hashed_password):
        return 'Login successful'
    else:
        return 'Login failed'

if __name__ == '__main__':
    app.run()

In this example, the application uses the MD5 hashing algorithm
to hash the user's password before storage. MD5 is considered a weak hashing algorithm,
vulnerable to various attacks, including collision attacks and precomputed lookup tables
(hash inversion).

Remediation

Replace any usage of the md5 and sha1 hash algorithms with stronger hash algorithms such
as sha256 -

@app.route('/login', methods=['POST'])
def login():
    username = request.form.get('username')
    password = request.form.get('password')

-    hashed_password = hashlib.md5(password.encode()).hexdigest()
+    hashed_password = hashlib.sha256(password.encode()).hexdigest()

if check_password(username, hashed_password):
    return 'Login successful'
else:
    return 'Login failed'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carmithersh