SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-328 Reversible One-Way Hash

Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 6 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a "hashing" implementation that is effectively reversible or not actually one-way (e.g., encryption used as "hash", encoding like Base64/hex, or a custom transform that can be inverted).

Why it matters

Reversible hashing exposes stored credentials and secrets.

Safer examples

1) For passwords: use proper password hashing (not encryption)

Use Argon2id/bcrypt/scrypt/PBKDF2 and store the full encoded hash output.

2) For secrets you must recover: use encryption, but treat it as encryption

Use authenticated encryption (AEAD) with proper key management (see CWE-327, C02, KMS patterns).

3) Don't confuse encoding with security

Base64/hex are encodings, not cryptography. Anyone can decode them.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.