SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-311 Missing Encryption of Sensitive Data

Coverage: 2 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 1Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged sensitive data being stored or transmitted without encryption where encryption is expected (tokens, credentials, PII, customer data, backups).

Why it matters

Unencrypted sensitive data can be exposed or intercepted.

Safer examples

1) Use TLS for data in transit

Use HTTPS for all sensitive endpoints and keep certificate verification enabled (see T01 / CWE-295 / CWE-296).

2) Encrypt sensitive data at rest (when appropriate)

If you must store sensitive values, use vetted libraries and authenticated encryption (AES‑GCM / ChaCha20‑Poly1305) and manage keys securely.

3) Don't "encrypt passwords"

Passwords should be hashed using a password hashing algorithm (Argon2id/scrypt/bcrypt) (see P02 / CWE-256).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.