PHP session.hash_function is SHA

OWASP 2013-A9 OWASP 2017-A9 OWASP 2021-A6 CWE-328 WASC-20

The SHA-1 is a cryptographic hash function which input data and produces a 160-bit hash value/message digest. In 2005, SHA-1 was not considered as secure again expert attacks. Due to this reason, the SHA-1 function was considered as not secured. The SHA-1 was then replaced by SHA-2 and SHA-3. An attacker can perform collision attacks on SHA-1 function. There are many servers that use the SHA-1 algorithm for encrypting session hash function. The attacker can easily crack these hash value using real-world collision attacks. Many of the latest web browsers like Chrome, Firefox, Safari and many more browsers have blocked the sue SHA-1 for encryption. A collision attack is a hash function bug through which, there will be two inputs might have the same hash value. The attacker can utilise this bug to get sensitive information about the server.


The following code is an example of SHA function.

        SHA1("The quick brown fox jumps over the lazy dog")
        gives hexadecimal: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12
        gives Base64 binary to ASCII text encoding: L9ThxnotKPzthJ7hu3bnORuT6xI=



The impact include:-

  • Collision attacks - This attack tries to find two input values with same hash value.

Mitigation / Precaution

This vulnerability can be fixed by:-

  • Use Slow Password Hash such as BCrypt, PBKDF2, SCrypt etc

Latest Articles