Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

igbuend/length-extension-attacks-anti-pattern

Name: length-extension-attacks-anti-pattern
Author: igbuend

skills/length-extension-attacks-anti-pattern/SKILL.md

npx skillsauth add igbuend/grimbard length-extension-attacks-anti-pattern

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Length Extension Attacks Anti-Pattern

Severity: High

Summary

Hash length extension attacks exploit Merkle-Damgård construction vulnerabilities in MD5, SHA-1, and SHA-256. Attackers knowing hash(secret + message) and secret length can compute hash(secret + message + padding + attacker_data) without knowing the secret. This enables appending data to signed messages with valid signatures, completely breaking message integrity and authentication.

The Anti-Pattern

Never use vulnerable hash functions (MD5, SHA-1, SHA-256) in hash(secret + message) construction for MACs. Use HMAC instead.

BAD Code Example

# VULNERABLE: Using hash(secret + message) for message signature
import hashlib

SECRET_KEY = b"my_super_secret_key_16b" # 16 bytes

def get_signed_url(message):
    # Signature created by prepending secret to message and hashing
    # Vulnerable to length extension
    signature = hashlib.sha256(SECRET_KEY + message.encode()).hexdigest()
    return f"/api/action?{message}&signature={signature}"

def verify_request(message, signature):
    expected_signature = hashlib.sha256(SECRET_KEY + message.encode()).hexdigest()
    return signature == expected_signature

# 1. Legitimate URL generated:
#    Message: "user=alice&action=view"
#    URL: /api/action?user=alice&action=view&signature=...

# 2. Attacker intercepts URL. Knows signature and message.
#    Doesn't know SECRET_KEY but can guess length (16 bytes)

# 3. Using `hashpump`, attacker computes new valid signature for extended message
#    Original: "user=alice&action=view"
#    Extended: "user=alice&action=view" + padding + "&action=delete&target=bob"
#    Tool generates new signature and message with padding

# 4. Server receives forged request, recomputes hash of `SECRET_KEY + extended_message`,
#    finds it matches attacker's signature. Delete action processed

GOOD Code Example

# SECURE: Use HMAC (Hash-based Message Authentication Code)
import hmac
import hashlib

SECRET_KEY = b"my_super_secret_key_16b"

def get_signed_url_secure(message):
    # HMAC designed to prevent length extension attacks
    # Two-step hashing: hash(key XOR opad, hash(key XOR ipad, message))
    signature = hmac.new(SECRET_KEY, message.encode(), hashlib.sha256).hexdigest()
    return f"/api/action?{message}&signature={signature}"

def verify_request_secure(message, signature):
    expected_signature = hmac.new(SECRET_KEY, message.encode(), hashlib.sha256).hexdigest()
    # Use hmac.compare_digest for constant-time comparison, prevents timing attacks
    return hmac.compare_digest(signature, expected_signature)

# Attacker cannot extend HMAC-signed message without secret key
# Inner hash `hash(key XOR ipad, message)` prevents continuing hash chain

Language-Specific Examples

JavaScript/Node.js:

// VULNERABLE: hash(secret + message) construction
const crypto = require('crypto');

const SECRET = 'my_secret_key';

function signMessage(message) {
    // Vulnerable to length extension!
    const signature = crypto.createHash('sha256')
        .update(SECRET + message)
        .digest('hex');
    return signature;
}

// SECURE: Use HMAC
const crypto = require('crypto');

const SECRET = 'my_secret_key';

function signMessageSecure(message) {
    const signature = crypto.createHmac('sha256', SECRET)
        .update(message)
        .digest('hex');
    return signature;
}

// Verify with constant-time comparison
function verifySignature(message, signature) {
    const expected = signMessageSecure(message);
    return crypto.timingSafeEqual(
        Buffer.from(signature),
        Buffer.from(expected)
    );
}

Java:

// VULNERABLE: Manual hash(secret + message)
import java.security.MessageDigest;

public class InsecureSigning {
    private static final String SECRET = "my_secret_key";

    public static String signMessage(String message) throws Exception {
        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        // Vulnerable to length extension!
        String combined = SECRET + message;
        byte[] hash = digest.digest(combined.getBytes());
        return bytesToHex(hash);
    }
}

// SECURE: Use HMAC
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;

public class SecureSigning {
    private static final String SECRET = "my_secret_key";

    public static String signMessage(String message) throws Exception {
        Mac hmac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKey = new SecretKeySpec(
            SECRET.getBytes(), "HmacSHA256");
        hmac.init(secretKey);
        byte[] hash = hmac.doFinal(message.getBytes());
        return bytesToHex(hash);
    }

    // Constant-time comparison
    public static boolean verifySignature(String message, String signature)
            throws Exception {
        String expected = signMessage(message);
        return MessageDigest.isEqual(
            signature.getBytes(),
            expected.getBytes()
        );
    }
}

Detection

Find hash(secret + message) patterns: Grep for concatenation before hashing:
- rg 'hashlib\.(md5|sha1|sha256)\(.*\+' --type py
- rg 'crypto\.createHash.*update.*\+' --type js
- rg 'MessageDigest.*update.*\+' --type java
- Look for hash(key + data) or hash(data + key) patterns
Identify vulnerable hash functions for MACs: Search for signing without HMAC:
- rg 'hashlib\.(md5|sha1|sha256)' --type py | rg -v 'hmac'
- rg 'crypto\.createHash\(' --type js | rg -v 'createHmac'
- rg 'MessageDigest\.getInstance.*MD5|SHA-1|SHA-256' --type java | rg -v 'Mac\.getInstance'
Audit signature generation: Find custom MAC implementations:
- rg 'signature.*=.*hash|mac.*=.*hash' -i
- Check API signatures, token generation, cookie signing
Use static analysis: Run tools to detect weak crypto:
- Semgrep: python.lang.security.audit.hashlib-weak-hash
- Bandit: B303 (MD5/SHA1 usage)

Prevention

[ ] Use HMAC: Always use HMAC for message authentication codes. Industry standard, immune to length extension attacks, available in standard libraries
[ ] Choose secure hash functions: Use HMAC with SHA-256 or SHA-3
[ ] Never roll your own crypto: Avoid custom schemes like hash(message + secret) or hash(secret + message + secret). Use HMAC
[ ] Alternative if HMAC unavailable: Use SHA-3 or BLAKE2 (not vulnerable to length extension). HMAC still preferred

Related Security Patterns & Anti-Patterns

Weak Encryption Anti-Pattern: Part of broader cryptographic failures category
Timing Attacks Anti-Pattern: Use constant-time comparison for signature verification to prevent timing leaks

References

OWASP Top 10 A04:2025 - Cryptographic Failures
OWASP GenAI LLM10:2025 - Unbounded Consumption
CWE-328: Reversible One-Way Hash
CAPEC-97: Cryptanalysis
Length Extension Attack (Wikipedia)
Hash Length Extension Attacks
BlueKrypt - Cryptographic Key Length Recommendation
Source: sec-context

igbuend/length-extension-attacks-anti-pattern

skills/length-extension-attacks-anti-pattern/SKILL.md

Security anti-pattern for hash length extension vulnerabilities (CWE-328). Use when generating or reviewing code that uses hash(secret + message) for authentication, API signatures, or integrity verification. Detects Merkle-Damgard hash misuse.

4 stars

tools

Updated Apr 5, 2026

$ install --global

skillsauth

npx skillsauth add igbuend/grimbard length-extension-attacks-anti-pattern

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 5, 2026, 8:19 PM34.9s1 file scanned

SKILL.md

name:: length-extension-attacks-anti-pattern
description:: Security anti-pattern for hash length extension vulnerabilities (CWE-328). Use when generating or reviewing code that uses hash(secret + message) for authentication, API signatures, or integrity verification. Detects Merkle-Damgard hash misuse.

Length Extension Attacks Anti-Pattern

Severity: High

Summary

The Anti-Pattern

Never use vulnerable hash functions (MD5, SHA-1, SHA-256) in hash(secret + message) construction for MACs. Use HMAC instead.

BAD Code Example

# VULNERABLE: Using hash(secret + message) for message signature
import hashlib

SECRET_KEY = b"my_super_secret_key_16b" # 16 bytes

def get_signed_url(message):
    # Signature created by prepending secret to message and hashing
    # Vulnerable to length extension
    signature = hashlib.sha256(SECRET_KEY + message.encode()).hexdigest()
    return f"/api/action?{message}&signature={signature}"

def verify_request(message, signature):
    expected_signature = hashlib.sha256(SECRET_KEY + message.encode()).hexdigest()
    return signature == expected_signature

# 1. Legitimate URL generated:
#    Message: "user=alice&action=view"
#    URL: /api/action?user=alice&action=view&signature=...

# 2. Attacker intercepts URL. Knows signature and message.
#    Doesn't know SECRET_KEY but can guess length (16 bytes)

# 3. Using `hashpump`, attacker computes new valid signature for extended message
#    Original: "user=alice&action=view"
#    Extended: "user=alice&action=view" + padding + "&action=delete&target=bob"
#    Tool generates new signature and message with padding

# 4. Server receives forged request, recomputes hash of `SECRET_KEY + extended_message`,
#    finds it matches attacker's signature. Delete action processed

GOOD Code Example

# SECURE: Use HMAC (Hash-based Message Authentication Code)
import hmac
import hashlib

SECRET_KEY = b"my_super_secret_key_16b"

def get_signed_url_secure(message):
    # HMAC designed to prevent length extension attacks
    # Two-step hashing: hash(key XOR opad, hash(key XOR ipad, message))
    signature = hmac.new(SECRET_KEY, message.encode(), hashlib.sha256).hexdigest()
    return f"/api/action?{message}&signature={signature}"

def verify_request_secure(message, signature):
    expected_signature = hmac.new(SECRET_KEY, message.encode(), hashlib.sha256).hexdigest()
    # Use hmac.compare_digest for constant-time comparison, prevents timing attacks
    return hmac.compare_digest(signature, expected_signature)

# Attacker cannot extend HMAC-signed message without secret key
# Inner hash `hash(key XOR ipad, message)` prevents continuing hash chain

Language-Specific Examples

JavaScript/Node.js:

// VULNERABLE: hash(secret + message) construction
const crypto = require('crypto');

const SECRET = 'my_secret_key';

function signMessage(message) {
    // Vulnerable to length extension!
    const signature = crypto.createHash('sha256')
        .update(SECRET + message)
        .digest('hex');
    return signature;
}

// SECURE: Use HMAC
const crypto = require('crypto');

const SECRET = 'my_secret_key';

function signMessageSecure(message) {
    const signature = crypto.createHmac('sha256', SECRET)
        .update(message)
        .digest('hex');
    return signature;
}

// Verify with constant-time comparison
function verifySignature(message, signature) {
    const expected = signMessageSecure(message);
    return crypto.timingSafeEqual(
        Buffer.from(signature),
        Buffer.from(expected)
    );
}

Java:

// VULNERABLE: Manual hash(secret + message)
import java.security.MessageDigest;

public class InsecureSigning {
    private static final String SECRET = "my_secret_key";

    public static String signMessage(String message) throws Exception {
        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        // Vulnerable to length extension!
        String combined = SECRET + message;
        byte[] hash = digest.digest(combined.getBytes());
        return bytesToHex(hash);
    }
}

// SECURE: Use HMAC
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;

public class SecureSigning {
    private static final String SECRET = "my_secret_key";

    public static String signMessage(String message) throws Exception {
        Mac hmac = Mac.getInstance("HmacSHA256");
        SecretKeySpec secretKey = new SecretKeySpec(
            SECRET.getBytes(), "HmacSHA256");
        hmac.init(secretKey);
        byte[] hash = hmac.doFinal(message.getBytes());
        return bytesToHex(hash);
    }

    // Constant-time comparison
    public static boolean verifySignature(String message, String signature)
            throws Exception {
        String expected = signMessage(message);
        return MessageDigest.isEqual(
            signature.getBytes(),
            expected.getBytes()
        );
    }
}

Detection

Find hash(secret + message) patterns: Grep for concatenation before hashing:
- rg 'hashlib\.(md5|sha1|sha256)\(.*\+' --type py
- rg 'crypto\.createHash.*update.*\+' --type js
- rg 'MessageDigest.*update.*\+' --type java
- Look for hash(key + data) or hash(data + key) patterns
Identify vulnerable hash functions for MACs: Search for signing without HMAC:
- rg 'hashlib\.(md5|sha1|sha256)' --type py | rg -v 'hmac'
- rg 'crypto\.createHash\(' --type js | rg -v 'createHmac'
- rg 'MessageDigest\.getInstance.*MD5|SHA-1|SHA-256' --type java | rg -v 'Mac\.getInstance'
Audit signature generation: Find custom MAC implementations:
- rg 'signature.*=.*hash|mac.*=.*hash' -i
- Check API signatures, token generation, cookie signing
Use static analysis: Run tools to detect weak crypto:
- Semgrep: python.lang.security.audit.hashlib-weak-hash
- Bandit: B303 (MD5/SHA1 usage)

Prevention

[ ] Use HMAC: Always use HMAC for message authentication codes. Industry standard, immune to length extension attacks, available in standard libraries
[ ] Choose secure hash functions: Use HMAC with SHA-256 or SHA-3
[ ] Never roll your own crypto: Avoid custom schemes like hash(message + secret) or hash(secret + message + secret). Use HMAC
[ ] Alternative if HMAC unavailable: Use SHA-3 or BLAKE2 (not vulnerable to length extension). HMAC still preferred

Related Security Patterns & Anti-Patterns

Weak Encryption Anti-Pattern: Part of broader cryptographic failures category
Timing Attacks Anti-Pattern: Use constant-time comparison for signature verification to prevent timing leaks

References

OWASP Top 10 A04:2025 - Cryptographic Failures
OWASP GenAI LLM10:2025 - Unbounded Consumption
CWE-328: Reversible One-Way Hash
CAPEC-97: Cryptanalysis
Length Extension Attack (Wikipedia)
Hash Length Extension Attacks
BlueKrypt - Cryptographic Key Length Recommendation
Source: sec-context

Related Skills

igbuend/xss-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xss-anti-pattern

igbuend/xpath-injection-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.

4SKILL.mdUpdated Apr 5, 2026

igbuend/xpath-injection-anti-pattern

igbuend/weak-password-hashing-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-password-hashing-anti-pattern

igbuend/weak-encryption-anti-pattern

development

VerifiedTrustedCommunity

Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.

4SKILL.mdUpdated Apr 5, 2026

igbuend/weak-encryption-anti-pattern

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/igbuend/grimbard.git

# Copy into Claude Code skills folder (global)
cp -r grimbard/skills/length-extension-attacks-anti-pattern ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

igbuend/grimbard

4 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT