BIPI
BIPI

Hash Length Extension Attacks: When Concatenation Becomes Forgery

Cybersecurity

When apps authenticate messages with MD5 or SHA1 of secret plus data, length extension turns the signature into a free forgery oracle. We cover Merkle Damgard internals, hashpump usage, and HMAC migration.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 23, 2023 · 9 min read

#length-extension#crypto#hmac#pentesting#forgery

The bug pattern

Code computes signature as md5(secret + message) or sha1(secret + message), where secret is fixed and message is user controlled. The Merkle Damgard construction lets an attacker append data to message and produce a valid signature without knowing the secret, given the original signature and the secret length.

Why Merkle Damgard leaks

MD5, SHA1, and SHA2 process input in fixed size blocks, maintaining state between them. The final state is the output. If you know the final state, you can continue hashing more data from there. The attacker pads the original input to a block boundary, appends new data, and computes the new state by resuming from the captured output.

Hashpump in practice

  1. Identify a signed parameter, for example a query string with user, role, and a sig field
  2. Guess the secret length, common values are 16, 32, 64, brute force is fast
  3. Run hashpump with the original signature, original data, append data setting role to admin, and guessed key length
  4. Submit the new request with the produced sig, server validates as if signed by the secret

Real targets

  • Flickr API in 2009 was the canonical public example
  • Several Django middleware bugs over the years used naive concatenation
  • Homegrown SaaS webhook signing routinely rolls its own SHA1 instead of HMAC
  • License key formats in commercial software often use this pattern

Tooling

hashpumpy and hash_extender are the two tools to know. hash_extender supports MD4, MD5, SHA1, SHA256, SHA512, and WHIRLPOOL. Both let you specify the original signature, original data, append data, and a range of secret lengths to try.

Detection

  • Look for signature bytes near the end of URLs or bodies plus trailing user controlled fields
  • Watch for requests that include extra padding bytes 0x80 followed by zeros and a 64 bit length, a tell tale length extension shape
  • Repeated signature validation failures from a single client during brute force of key length

Remediation

  1. Replace md5 secret plus data with HMAC-SHA256 using the secret as the HMAC key
  2. Adopt JWT with HS256 or EdDSA only after also adding strict validation and alg pinning
  3. Reject requests whose signed payload contains the padding bytes 0x80 plus zeros plus 8 byte length unless explicitly expected
  4. Rotate signing keys and log all signature failures with full request bodies for forensics
~12%
Legacy systems still using secret plus data hashing
<1s
Time to forge with known key length on commodity hardware
If your signature can be extended, your authorization is a polite request.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.