cwe-328-weak-hash-algorithm

star 1

Use this skill when you need to remediate CWE-328 (Weak Hash Algorithm (MD5/SHA1)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing weak hash algorithm (md5/sha1) issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-328-weak-hash-algorithm description: Use this skill when you need to remediate CWE-328 (Weak Hash Algorithm (MD5/SHA1)) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing weak hash algorithm (md5/sha1) issues. version: 1.0.0 license: MIT tags:

  • security

  • java

  • cwe-328

  • remediation

  • sast

  • cryptography

  • weak-hash

CWE-328 Weak Hash Algorithm (MD5/SHA1)

Description

Weak Hash Algorithm (MD5/SHA1)

Reference: https://cwe.mitre.org/data/definitions/328.html

OWASP Category: A02:2021 – Cryptographic Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Using weak hash algorithms
MessageDigest md = MessageDigest.getInstance("MD5");  // Collision attacks!
byte[] hash = md.digest(data.getBytes());

// VULNERABLE: SHA1 for password hashing
MessageDigest sha1 = MessageDigest.getInstance("SHA1");  // Weak!
String hashedPassword = Base64.getEncoder().encodeToString(sha1.digest(password.getBytes()));

Why it's vulnerable: This pattern is vulnerable to Weak Hash Algorithm (MD5/SHA1)

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use SHA-256 for integrity checks
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] hash = md.digest(data.getBytes(StandardCharsets.UTF_8));

// SECURE: For passwords, use bcrypt/scrypt/argon2
// Option 1: BCrypt (Spring Security)
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(12);
String hashedPassword = encoder.encode(password);
boolean matches = encoder.matches(password, hashedPassword);

// Option 2: Argon2 (stronger, newer)
Argon2PasswordEncoder encoder = new Argon2PasswordEncoder(16, 32, 1, 65536, 3);
String hashedPassword = encoder.encode(password);

Why it's secure: Implements proper protection against Weak Hash Algorithm (MD5/SHA1)

Detection Pattern

Look for these patterns in your codebase:

# Find MD5/SHA1 usage
grep -rn "getInstance.*MD5\\|getInstance.*SHA1\\|getInstance.*SHA-1" --include="*.java"

Remediation Steps

  1. Replace MD5/SHA1 with SHA-256 or SHA-512

  2. For passwords, use BCrypt, SCrypt, or Argon2

  3. Never use fast hashes (MD5/SHA) for passwords

  4. Use HMAC-SHA256 for message authentication

Key Imports


import java.security.MessageDigest;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import org.springframework.security.crypto.argon2.Argon2PasswordEncoder;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-328 vulnerability
Resolve Weak Hash Algorithm (MD5/SHA1) issue
Secure this Java code against weak hash algorithm (md5/sha1)
SAST reports CWE-328

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-328-weak-hash-algorithm
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →