CWE-1240 Use of Risky Cryptographic Implementation
What this means
SiteShadow flagged use of "homebrew" cryptography or risky custom implementations (custom encryption, custom token signing, custom password hashing, or ad-hoc obfuscation) instead of vetted libraries.
Why it matters
Homebrew crypto is error-prone and often insecure.
- Subtle design flaws (nonce reuse, missing authentication, weak key derivation) can completely break security.
- False sense of security: code "looks encrypted" but doesn't resist real attackers.
- Hard to audit: custom crypto is difficult to review and maintain safely.
Safer examples
1) Use well-maintained libraries and standard primitives
Prefer platform-standard crypto libraries and recommended constructions (AEAD, HKDF, Argon2id/bcrypt).
2) Don't roll your own token formats
Use standard signed tokens (e.g., JWT with proper validation) or opaque server-side sessions (see JWT01 / CWE-347).
3) Get key management right
Keys should come from a secret manager/KMS, rotate, and be scoped/least-privileged (see S01 / CWE-321).
How SiteShadow detects it (high level)
- Detects custom crypto routines, ad-hoc transforms, and non-standard "encryption" patterns.
- Flags when risky crypto is used for authentication, tokens, password storage, or data protection.
References
- CWE-1240: https://cwe.mitre.org/data/definitions/1240.html
---