Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsafe hash upon account creation #42

Open
scalzava opened this issue May 15, 2024 · 0 comments
Open

Unsafe hash upon account creation #42

scalzava opened this issue May 15, 2024 · 0 comments

Comments

@scalzava
Copy link

To whom it may concern.

Our security team is working on the automated detection of session vulnerabilities in opensource web applications, including insecure hashing of authentication credentials. Our analyzer identified that the sign_up function of ezeeai/utils/db_ops.py is using an unsafe hashing function (SHA-256) to store users' passwords. This practice might leave your application vulnerable to offline bruteforcing attacks. Please see the OWASP recommendations for secure password hashing: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

Can you take a look into the relevant code parts and comment on the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant