Length Extension Attack

Length Extension Attack exploits the iterative structure of Merkle-Damgård hash functions (MD5, SHA-1, SHA-256). Given H(secret || message), an attacker can compute H(secret || message || padding || extension) without knowing the secret.

Vulnerable Construction

// BAD: Using hash for authentication
signature = SHA256(secret + data)

// Attacker knows:
// - The data
// - The signature (hash output)
// - Length of secret (or can guess)

// Attacker can compute:
new_signature = SHA256(secret + data + padding + evil_data)

How It Works

The hash output represents the internal state after processing. The attacker:

1. Reconstructs the hash state from the known output
2. Calculates the padding that was applied
3. Continues hashing with additional data
4. Produces valid hash for extended message

Example Attack

// Original signed request
data = "amount=100&to=bob"
sig = SHA256(secret + data)  // Known to attacker

// Attacker extends to:
evil_data = data + padding + "&amount=10000"
evil_sig = length_extend(sig, secret_length, "&amount=10000")

// Server validates:
SHA256(secret + evil_data) == evil_sig  // PASSES!

Prevention

• Use HMAC - the only correct solution for message authentication
• Use SHA-3 or BLAKE2/3 (not vulnerable due to sponge/different construction)
• Never use raw hash concatenation (H(secret || message)) for authentication

Why HMAC?

HMAC's nested construction (H(K XOR opad || H(K XOR ipad || message))) prevents length extension by design. The outer hash operation on the inner hash output makes it impossible to continue the hash state. Always use HMAC - not ad-hoc constructions.

Tools

• hash_extender - Length extension attack tool

PentesterLab Exercises

• Length Extension Exercises

See Also

• HMAC
• Hash Collision