SCP06 Cryptographic Practices

What this means

SiteShadow flagged cryptographic practices that are weak, outdated, or misused (deprecated algorithms, weak key sizes, missing authentication, homebrew crypto, weak randomness).

Why it matters

Weak cryptography enables data exposure and tampering.

Confidentiality loss when encryption is breakable or misused.
Tampering risk when encryption is not authenticated (missing integrity).
Credential compromise when passwords/tokens are generated or stored insecurely.

Safer examples

1) Use modern authenticated encryption (AEAD)

Prefer AES-GCM or ChaCha20-Poly1305 via vetted libraries (see CWE-326).

2) Use CSPRNG for tokens and keys

import secrets

token = secrets.token_urlsafe(32)

3) Don't roll your own crypto

Avoid custom ciphers/encodings; use standard libraries and managed key storage (see CWE-1240 / S01).

How SiteShadow detects it (high level)

Detects use of known-weak algorithms/modes and insecure crypto options.
Flags crypto code used for auth/tokens/passwords where randomness or key management appears weak.

References

OWASP Secure Coding Practices: https://owasp.org/www-project-secure-coding-practices-quick-reference-guide/

---

← Back to Vulnerability Library

Request access View coverage