SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-522 Insufficiently Protected Credentials

Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.

What this means

SiteShadow flagged credentials being stored, handled, or transmitted in a way that makes theft easier (weak hashing, plaintext storage, insecure transport, overly long-lived tokens).

Why it matters

Weak protection leads to credential theft and reuse.

Safer examples

1) Hash passwords properly

Use Argon2id/scrypt/bcrypt (see P02 / CWE-256 / CWE-261).

2) Use secure transport and safe storage

Use TLS in transit (see CWE-319 / CWE-523) and avoid putting secrets in logs or URLs (see CWE-532 / CWE-598).

3) Prefer short-lived, scoped credentials

Use short-lived access tokens and rotate/revoke them (see TOK01).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.