Use PBKDF2 with per-password salt for secure password hashing instead of unsalted SHA-256.

[zeropath-ai-dev]

Summary

• The Vulnerability Description:
  The original Password._make_hash method used an unsalted SHA-256 hash without any salt or iteration, making passwords vulnerable to rainbow table and brute-force attacks.

• This Fix:
  The revised method now generates a random salt, applies PBKDF2-HMAC with SHA-256 and 100,000 iterations, and stores the hash concatenated with the salt, securely strengthening password storage.

• The Cause of the Issue:
  Insufficient hashing practices were used—no randomization (salt) or computational hardening (iterations), leaving passwords easily reversible by attackers.

• The Patch Implementation:
  The patch imports os for secure random salt generation, switches to PBKDF2-HMAC for iterative hashing, and updates both password hashing and validation methods to securely handle salts and iterations.

Vulnerability Details

• Vulnerability Class: Natural Language Rule Violation
• Severity: 0.0
• Affected File: owasp-top10-2021-apps/a9/games-irados/app/model/password.py
• Vulnerable Lines: 15-15

Code Snippets

diff --git a/owasp-top10-2021-apps/a9/games-irados/app/model/password.py b/owasp-top10-2021-apps/a9/games-irados/app/model/password.py
index 3abacd0b..0675f77e 100644
--- a/owasp-top10-2021-apps/a9/games-irados/app/model/password.py
+++ b/owasp-top10-2021-apps/a9/games-irados/app/model/password.py
@@ -1,4 +1,5 @@
 import hashlib
+import os
 
 class Password:
 
@@ -6,10 +7,15 @@ class Password:
         self.password = password
 
     def get_hashed_password(self):
-        return self._make_hash(self.password)
+        salt = os.urandom(16)
+        dk = hashlib.pbkdf2_hmac('sha256', self.password.encode(), salt, 100000)
+        return salt.hex() + ':' + dk.hex()
 
     def validate_password(self, hashed_password):
-        return self._compare_password(hashed_password, self._make_hash(self.password))
+        salt_hex, hash_hex = hashed_password.split(':')
+        salt = bytes.fromhex(salt_hex)
+        dk = hashlib.pbkdf2_hmac('sha256', self.password.encode(), salt, 100000)
+        return hash_hex == dk.hex()
 
     def _make_hash(self, string):
         return hashlib.sha256(string).hexdigest()

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_natural_language_rule_violation_1754368552483475

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a9/games-irados/app/model/password.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_natural_language_rule_violation_1754368552483475