Hash with Predictable Salt

In cryptography, salt refers to some random addition of data to an input before hashing. Without unique hashing salts adversaries can pre-compute the hash value using dictionary attack techniques such as rainbow tables.

Remediation

Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required (e.g. bcrypt).

Metadata

Severity: low
Slug: hash-with-predictable-salt

CWEs

759: Use of a One-Way Hash without a Salt
1240: Use of a Cryptographic Primitive with a Risky Implementation
760: Use of a One-Way Hash with a Predictable Salt

OWASP

A9:2017: Using Components with Known Vulnerabilities

Available Labs

Select a language to explore available labs for this vulnerability.

1 Lab

Java Labs

Java 1 lab

Explore 1 lab in Java.

1 Lab

Javascript Labs

Javascript 1 lab

Explore 1 lab in Javascript.

1 Lab

Python Labs

Python 1 lab

Explore 1 lab in Python.

No matching labs found

Try adjusting your language filter.

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.