CWE-327 Broken or Risky Cryptographic Algorithm

What this means

SiteShadow flagged use of cryptographic algorithms or settings that are considered broken, weak, or deprecated for security purposes.

Why it matters

Broken crypto can be brute-forced or bypassed.

• Attackers can decrypt or forge data that you expect to be protected.
• Weak algorithms often fail "silently" until you have an incident.

Safer examples

1) Use modern, vetted primitives

• Hashing passwords: Argon2id / scrypt / bcrypt
• Encryption: AES-GCM / ChaCha20-Poly1305
• Signatures: Ed25519 / RSA-PSS (via libraries)

2) Avoid deprecated/broken algorithms for security

Examples: MD5, SHA1 (for integrity/auth), DES/3DES, RC4.

3) Prefer libraries that are secure-by-default

Minimize custom crypto configuration and avoid rolling your own.

How SiteShadow detects it (high level)

• Flags known weak algorithms and risky configurations in crypto APIs.
• Uses context to prioritize security-sensitive usage (passwords, tokens, secret storage).

References

• CWE-327: https://cwe.mitre.org/data/definitions/327.html

---

← Back to Vulnerability Library