C02 Weak Cryptography
What this means
SiteShadow flagged cryptographic choices that are weak, deprecated, or easy to misuse (weak hashes for passwords, insecure algorithms/modes, or DIY crypto).
Why it matters
Weak crypto can be broken or bypassed, exposing sensitive data.
- Password cracking: MD5/SHA1/SHA256 are fast and easy to brute force for passwords.
- Token forgery: weak signing or incorrect verification can let attackers mint valid tokens.
- Data exposure: broken encryption or weak keys allow decryption of "protected" fields.
Safer examples
1) Hash passwords with Argon2id/scrypt/bcrypt (not a generic hash)
from argon2 import PasswordHasher
ph = PasswordHasher()
stored = ph.hash(password)
2) Use modern encryption defaults (via libraries)
Prefer library-provided, authenticated encryption modes (AES-GCM / ChaCha20-Poly1305) rather than implementing crypto yourself.
3) Avoid hardcoded keys and predictable salts
Store keys in a secret manager/HSM; generate salts per-password; rotate keys.
How SiteShadow detects it (high level)
- Flags known weak algorithms and suspicious crypto configurations.
- Detects "crypto-looking" code in sensitive contexts (password storage, token signing, secret storage).
References
- CWE-327: https://cwe.mitre.org/data/definitions/327.html
- CWE-326: https://cwe.mitre.org/data/definitions/326.html
---
← Back to Vulnerability Library
Catch this in your code with the free tier.
SiteShadow's free tier covers this exact pattern across the 23 OWASP Top 10 single-file checks. Sign in with your work SSO, first-time sign-in auto-issues your free license.