Hash Length Extension

Hash length extension is an attack against Merkle-Damgard hash functions (MD5, SHA1, SHA256) used naively as MACs. The internal state at the end of computing H(secret||data) is the hash output itself. An attacker can resume hashing from that state to compute H(secret||data||padding||extra) without knowing the secret.

Vulnerable pattern:

import hashlib

# Server creates MAC: sha256(secret + data)
secret = b"server_secret"
data = b"user_id=123&action=view"
mac = hashlib.sha256(secret + data).hexdigest()

Attack:

1. Attacker knows: mac, data, length of secret (often guessable)
2. Attacker uses HashPump or similar tool to compute H(secret||data||padding||"&action=admin") without knowing secret
3. Attacker submits new data + forged MAC — server verifies it as valid!

This attack was used against Flickr API and Vimeo in real-world breaches. Any API using SHA256(secret + message) is vulnerable.

HMAC (Hash-based Message Authentication Code) is specifically designed to prevent length extension attacks by applying the hash twice with different key derivations.

Safe implementation with HMAC:

import hmac
import hashlib
import secrets

# HMAC construction: safe against length extension
secret = os.environ["MAC_SECRET"].encode()

def create_mac(data):
    return hmac.new(secret, data.encode(), hashlib.sha256).hexdigest()

def verify_mac(data, provided_mac):
    expected = create_mac(data)
    # Also use constant-time comparison!
    return hmac.compare_digest(provided_mac, expected)

Why HMAC is safe:

HMAC = H((key XOR opad) || H((key XOR ipad) || message))

The outer hash over the inner hash output means an attacker cannot extend the message — they would need to extend the inner hash, but they only see the outer hash output.

Defense checklist:

• Always use HMAC for message authentication, never bare SHA256(secret + data)
• Use a secrets manager for HMAC keys
• Combine with constant-time comparison to prevent timing attacks
• For new APIs, consider Ed25519 digital signatures for non-repudiation