PHP session.hash_function is MD5

OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 CWE-328 WASC-11

The MD5 is a common hash algorithm that works as a one-way cryptographic function that accepts a string of any length and returns a fixed length digest value (128-bit hash function). This hash function was first used to authenticate digital signatures. Although it was used in many situations, it is now considered unsafe to use MD5 for encryption. There are many malicious ways to generate MD5 collisions in a web application. There are many servers that use an MD5 algorithm for session hash function. As this algorithm is vulnerable, the attacker can easily crack these hash value using a brute-force attack. An attacker can perform a collision attack on applications using MD5 using a weak computer. MD5 is also vulnerable to attacks chosen-prefix collision attack. Chosen-prefix collision attack is a collision attack by which an attacker can manually select two documents and encrypt them to produce same hash value.


The following code is used to declare md5

        string md5 ( string $str [, bool $raw_output = FALSE ] )



The impact include:-

  • Brute-force attack
  • Collision attack

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use Slow Password Hash such as BCrypt, PBKDF2, SCrypt and many more similarly working hash functions.

Latest Articles