ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6339/php/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

33 lines
1.3 KiB
Plaintext
Raw Blame History

== Why is this an issue?
Secret keys are used in combination with an algorithm to encrypt data. A typical use case is an authentication system. For such a system to be secure, the secret key should have a value which cannot be guessed and which is long enough to not be vulnerable to brute-force attacks.
A "salt" is an extra piece of data which is included when hashing data such as a password. Its value should have the same properties as a secret key.
This rule raises an issue when it detects that a secret key or a salt has a predictable value or that it's not long enough.
=== Noncompliant code example
WordPress:
[source,php]
----
define('AUTH_KEY', 'hello'); // Noncompliant
define('AUTH_SALT', 'hello'); // Noncompliant
define('AUTH_KEY', 'put your unique phrase here'); // Noncompliant, this is the default value
----
=== Compliant solution
WordPress:
[source,php]
----
define('AUTH_KEY', 'D&ovlU#|CvJ##uNq}bel+^MFtT&.b9{UvR]g%ixsXhGlRJ7q!h}XWdEC[BOKXssj');
define('AUTH_SALT', 'FIsAsXJKL5ZlQo)iD-pt??eUbdc{_Cn<4!d~yqz))&B D?AwK%)+)F2aNwI|siOe');
----
== Resources
* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10 2021 Category A2 - Cryptographic Failures]
* https://wordpress.org/support/article/editing-wp-config-php/#security-keys[wordpress.org] - WordPress Security Keys
Reference in New Issue View Git Blame Copy Permalink