CWE-522 Insufficiently Protected Credentials

What this means

SiteShadow flagged credentials being stored, handled, or transmitted in a way that makes theft easier (weak hashing, plaintext storage, insecure transport, overly long-lived tokens).

Why it matters

Weak protection leads to credential theft and reuse.

Account takeover when passwords/tokens leak.
Credential stuffing across services because users reuse passwords.
Wider blast radius when long-lived or overly-scoped credentials are exposed.

Safer examples

1) Hash passwords properly

Use Argon2id/scrypt/bcrypt (see P02 / CWE-256 / CWE-261).

2) Use secure transport and safe storage

Use TLS in transit (see CWE-319 / CWE-523) and avoid putting secrets in logs or URLs (see CWE-532 / CWE-598).

3) Prefer short-lived, scoped credentials

Use short-lived access tokens and rotate/revoke them (see TOK01).

How SiteShadow detects it (high level)

Detects credential-like fields and checks for common protection signals (hashing, encryption, secure transport, safe cookie flags).
Flags insecure patterns (plaintext, weak transforms, long-lived tokens) in credential contexts.

References

CWE-522: https://cwe.mitre.org/data/definitions/522.html

---

← Back to Vulnerability Library

Request access View coverage