forked from anxolerd/dvpwa
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patched test_password_vulnerability.py
- Loading branch information
patched.codes[bot]
committed
Dec 30, 2024
1 parent
4e2d1c7
commit 01bb552
Showing
1 changed file
with
29 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| from hashlib import md5 | ||
| import time | ||
|
|
||
| def demonstrate_md5_weakness(): | ||
| # Example password | ||
| password = "test123" | ||
|
|
||
| # Current implementation (MD5) | ||
| start_time = time.time() | ||
| md5_hash = md5(password.encode('utf-8')).hexdigest() | ||
|
Check failure Code scanning / CodeQL Use of a broken or weak cryptographic hashing algorithm on sensitive data High test Sensitive data (password) Error loading related location Loading |
||
| md5_time = time.time() - start_time | ||
|
|
||
| print(f"Password: {password}") | ||
|
Check failure Code scanning / CodeQL Clear-text logging of sensitive information High test
This expression logs
sensitive data (password) Error loading related location Loading |
||
| print(f"MD5 Hash: {md5_hash}") | ||
| print(f"Time taken for MD5: {md5_time:.6f} seconds") | ||
| print("\nVulnerabilities:") | ||
| print("1. MD5 is fast (bad for password hashing): {:.2f} million hashes/second possible on modern hardware".format(1/md5_time/1000000)) | ||
| print("2. No salt used: identical passwords produce identical hashes") | ||
| print("3. MD5 is cryptographically broken with known collisions") | ||
|
|
||
| # Demonstrate lack of salt problem | ||
| password2 = "test123" | ||
| md5_hash2 = md5(password2.encode('utf-8')).hexdigest() | ||
|
Check failure Code scanning / CodeQL Use of a broken or weak cryptographic hashing algorithm on sensitive data High test Sensitive data (password) Error loading related location Loading |
||
| print(f"\nSame password hashed again: {md5_hash2}") | ||
| print(f"Hashes match? {md5_hash == md5_hash2}") | ||
| print("This makes the hashes vulnerable to rainbow table attacks") | ||
|
|
||
| if __name__ == "__main__": | ||
| demonstrate_md5_weakness() | ||