Replace insecure SHA256 password hashing with PBKDF2-HMAC and random salt for secure password storage.

[zeropath-ai-dev]

Summary

• The Vulnerability Description: The original implementation used hashlib.sha256 directly for password hashing without a salt or key stretching, leaving stored passwords vulnerable to attacks such as rainbow tables and brute-force.
• This Fix: The patch replaces the insecure hash with a modern, secure hashing approach using PBKDF2-HMAC with a random salt and key stretching, in line with industry best practices for password storage.
• The Cause of the Issue: The weakness arose because simple hashing with SHA-256 does not provide sufficient resistance against common password attacks, as it lacks both a unique salt and computational difficulty.
• The Patch Implementation: The updated code generates a random 16-byte salt per password, uses PBKDF2-HMAC with 100,000 iterations for key stretching, and stores both the salt and hashed password as hex strings separated by $, improving security and verification.

Vulnerability Details

• Vulnerability Class: Natural Language Rule Violation
• Severity: 0.0
• Affected File: owasp-top10-2021-apps/a3/gossip-world/app/model/password.py
• Vulnerable Lines: 16-16

Code Snippets

diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/model/password.py b/owasp-top10-2021-apps/a3/gossip-world/app/model/password.py
index a2892533..88cba0f1 100644
--- a/owasp-top10-2021-apps/a3/gossip-world/app/model/password.py
+++ b/owasp-top10-2021-apps/a3/gossip-world/app/model/password.py
@@ -1,4 +1,5 @@
 import hashlib
+import os
 
 
 class Password:
@@ -10,10 +11,22 @@ class Password:
         return self._make_hash(self.password)
 
     def validate_password(self, hashed_password):
-        return self._compare_password(hashed_password, self._make_hash(self.password))
+        try:
+            salt, _ = hashed_password.split('$', 1)
+        except ValueError:
+            return False
+        # Recreate hash with extracted salt and compare full stored string
+        return hashed_password == self._make_hash(self.password, salt)
 
-    def _make_hash(self, string):
-        return hashlib.sha256(string).hexdigest()
+    def _make_hash(self, string, salt=None):
+        # Use PBKDF2-HMAC with a random salt and key stretching
+        if salt is None:
+            salt = os.urandom(16)
+        else:
+            salt = bytes.fromhex(salt)
+        dk = hashlib.pbkdf2_hmac('sha256', string.encode('utf-8'), salt, 100000)
+        # Store salt and derived key in hex separated by $
+        return salt.hex() + '$' + dk.hex()
 
     def _compare_password(self, password_1, password_2):
         return password_1 == password_2

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai-dev bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai-dev!

To request modifications, please post a comment beginning with @zeropath-ai-dev and specify the changes required.

@zeropath-ai-dev will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_natural_language_rule_violation_1754368710593037

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a3/gossip-world/app/model/password.py

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_natural_language_rule_violation_1754368710593037