CWE-311 Missing Encryption of Sensitive Data
Coverage: 2 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 1Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged sensitive data being stored or transmitted without encryption where encryption is expected (tokens, credentials, PII, customer data, backups).
Why it matters
Unencrypted sensitive data can be exposed or intercepted.
- Breach impact increases: stolen data is immediately readable.
- Insider/vendor risk: plaintext data is easier to access in logs, backups, and support tooling.
- Regulatory exposure: many regimes assume encryption at rest/in transit for certain data.
Safer examples
1) Use TLS for data in transit
Use HTTPS for all sensitive endpoints and keep certificate verification enabled (see T01 / CWE-295 / CWE-296).
2) Encrypt sensitive data at rest (when appropriate)
If you must store sensitive values, use vetted libraries and authenticated encryption (AES‑GCM / ChaCha20‑Poly1305) and manage keys securely.
3) Don't "encrypt passwords"
Passwords should be hashed using a password hashing algorithm (Argon2id/scrypt/bcrypt) (see P02 / CWE-256).
How SiteShadow detects it (high level)
- Detects sensitive data flows (password/token/PII-like fields) being persisted or transmitted.
- Flags missing encryption when data is stored to disk/db or sent over insecure channels.
References
- CWE-311: https://cwe.mitre.org/data/definitions/311.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.