CWE-328 Reversible One-Way Hash
What this means
SiteShadow flagged a "hashing" implementation that is effectively reversible or not actually one-way (e.g., encryption used as "hash", encoding like Base64/hex, or a custom transform that can be inverted).
Why it matters
Reversible hashing exposes stored credentials and secrets.
- Immediate credential disclosure if attackers obtain the stored "hash".
- Worse than weak hashing: reversibility turns a breach into plaintext recovery.
- Security theater: it looks like "hashed," but it's not providing one-way protection.
Safer examples
1) For passwords: use proper password hashing (not encryption)
Use Argon2id/bcrypt/scrypt/PBKDF2 and store the full encoded hash output.
2) For secrets you must recover: use encryption, but treat it as encryption
Use authenticated encryption (AEAD) with proper key management (see CWE-327, C02, KMS patterns).
3) Don't confuse encoding with security
Base64/hex are encodings, not cryptography. Anyone can decode them.
How SiteShadow detects it (high level)
- Flags "hash" code paths that use reversible operations (encoding, encryption) or custom transforms.
- Looks for password/credential storage that uses non-password-hashing primitives.
References
- CWE-328: https://cwe.mitre.org/data/definitions/328.html
---