👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • Hashing implementation
  1. Web Application
  2. Cryptography

Hashing

PreviousHash-based Message Authentication Code (HMAC)NextRandom Generators

Last updated 1 year ago

Overview

This page contains recommendations for choosing a hashing algorithm.

General

  • For other data, use a hashing algorithm from the SHA-2 or SHA-3 family.

Vulnerable hash algorithms
  • MD4

  • MD5

  • SHA-0

  • SHA-1

  • HAVAL-128

  • PANAMA

  • RIPEMD

Hashing implementation

package main

import (
    "crypto/sha256"
    "fmt"
)

func main() {
    p := []byte("random string for hashing")
    hash := sha256.New()
    fmt.Printf("%x\n", hash.Sum(p))
}
import java.security.MessageDigest;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;

public static String sha256Hash(String data) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA-256");
    byte[] encodedHash = digest.digest(data.getBytes(StandardCharsets.UTF_8));
    return toHex(encodedHash)
}

public static String sha3256Hash(String data) throws NoSuchAlgorithmException {
    MessageDigest digest = MessageDigest.getInstance("SHA3-256");
    byte[] encodedHash = digest.digest(data.getBytes(StandardCharsets.UTF_8));
    return toHex(encodedHash)
}

private static String toHex(byte[] byteArray) {
    String hex = "";
    for (byte i : byteArray) {
        hex += String.format("%02x", i);
    }
    return hex;
}
const { createHash } = await import('node:crypto');

async function sha256_digest(data) {
    const hash = createHash('sha256');
    hash.update(data);
    return hash.digest('hex');
}
import hashlib

def sha256_digest(data: str) -> str:
    encoded_data = data.encode('utf-8')
    hash = hashlib.sha256(encoded_data)
    return hash.hexdigest()

def sha3_256_digest(data: str) -> str:
    encoded_data = data.encode('utf-8')
    hash = hashlib.sha3_256(encoded_data)
    return hash.hexdigest()

If you need to hash passwords see the the page.

Do not use vulnerable hashing algorithms from the list below. You can find examples of collision attacks at .

Use the implementation of hash algorithms from the package, such as or . You can find the whole list at https://pkg.go.dev/crypto#Hash

Use the class for hashing implementation. MessageDigest is not thread-safe. Use a new instance for every thread.

Use the package for hashing implementation. The list of supported algorithms is dependent on the available algorithms supported by the version of OpenSSL on the platform. Use openssl list -digest-algorithms to display the available digest algorithms.

Use the package for hashing implementation. You can find the list of available algorithms .

Authentication: Password Storage
https://github.com/corkami/collisions
crypto
crypto/sha256
crypto/sha512
java.security.MessageDigest
crypto
hashlib
here