A02 Cryptographic Failures

What this means

SiteShadow flagged cryptography usage that may be weak, outdated, or applied incorrectly for sensitive data (passwords, tokens, PII, secrets at rest/in transit).

Why it matters

Weak cryptography can lead to data exposure, tampering, or credential compromise.

Data leaks: attackers can decrypt or guess protected values.
Token/session abuse: weak signing/encryption can allow forgery.
Password cracking: fast hashes (MD5/SHA1/SHA256) are trivial to brute force at scale.

Safer examples

1) Use modern password hashing (not "hash(password)")

Prefer Argon2id, scrypt, or bcrypt with appropriate cost.

from argon2 import PasswordHasher
ph = PasswordHasher()
hash = ph.hash(password)

2) Use vetted TLS and keep verification on

Use HTTPS everywhere.
Don't disable TLS verification (see T01).

3) Use modern primitives and secure modes

Prefer AES-GCM / ChaCha20-Poly1305 for encryption.
Prefer Ed25519 / ECDSA / RSA-PSS for signatures (use proven libraries, not DIY).

How SiteShadow detects it (high level)

Flags known weak algorithms (e.g., MD5/SHA1 for security purposes) and risky modes/usages.
Detects "crypto DIY" patterns (hand-rolled key derivation, custom token signing).
Uses context cues to focus on security-sensitive flows (passwords, auth tokens, secret storage).

References

OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library

Request access View coverage