CWE-327 Broken or Risky Cryptographic Algorithm
Coverage: 23 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 21Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged use of cryptographic algorithms or settings that are considered broken, weak, or deprecated for security purposes.
Why it matters
Broken crypto can be brute-forced or bypassed.
- Attackers can decrypt or forge data that you expect to be protected.
- Weak algorithms often fail "silently" until you have an incident.
Safer examples
1) Use modern, vetted primitives
- Hashing passwords: Argon2id / scrypt / bcrypt
- Encryption: AES-GCM / ChaCha20-Poly1305
- Signatures: Ed25519 / RSA-PSS (via libraries)
2) Avoid deprecated/broken algorithms for security
Examples: MD5, SHA1 (for integrity/auth), DES/3DES, RC4.
3) Prefer libraries that are secure-by-default
Minimize custom crypto configuration and avoid rolling your own.
How SiteShadow detects it (high level)
- Flags known weak algorithms and risky configurations in crypto APIs.
- Uses context to prioritize security-sensitive usage (passwords, tokens, secret storage).
References
- CWE-327: https://cwe.mitre.org/data/definitions/327.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.