C02 Weak Cryptography

What this means

SiteShadow flagged cryptographic choices that are weak, deprecated, or easy to misuse (weak hashes for passwords, insecure algorithms/modes, or DIY crypto).

Why it matters

Weak crypto can be broken or bypassed, exposing sensitive data.

Password cracking: MD5/SHA1/SHA256 are fast and easy to brute force for passwords.
Token forgery: weak signing or incorrect verification can let attackers mint valid tokens.
Data exposure: broken encryption or weak keys allow decryption of "protected" fields.

Safer examples

1) Hash passwords with Argon2id/scrypt/bcrypt (not a generic hash)

from argon2 import PasswordHasher
ph = PasswordHasher()
stored = ph.hash(password)

2) Use modern encryption defaults (via libraries)

Prefer library-provided, authenticated encryption modes (AES-GCM / ChaCha20-Poly1305) rather than implementing crypto yourself.

3) Avoid hardcoded keys and predictable salts

Store keys in a secret manager/HSM; generate salts per-password; rotate keys.

How SiteShadow detects it (high level)

Flags known weak algorithms and suspicious crypto configurations.
Detects "crypto-looking" code in sensitive contexts (password storage, token signing, secret storage).

References

CWE-327: https://cwe.mitre.org/data/definitions/327.html
CWE-326: https://cwe.mitre.org/data/definitions/326.html

---

← Back to Vulnerability Library

Request access View coverage