CWE-532 Sensitive Information in Log Files

What this means

SiteShadow flagged logging that may include secrets (tokens, passwords, API keys), sensitive headers/cookies, or private user data.

Why it matters

Logs are often widely accessible and long-lived.

• Logs spread into third-party systems, support channels, and backups.
• Long retention means the exposure can persist after code is fixed.
• Secrets in logs often lead directly to account compromise.

Safer examples

1) Don't log raw secrets or headers

Avoid logging Authorization, cookies, and full request bodies by default.

2) Redact before logging

def redact(value: str) -> str:
    if not value:
        return ""
    return value[:4] + "…"

logger.info("tokenPrefix=%s", redact(token))

3) Restrict access and retention

Treat logs as sensitive data: least-privilege access, encryption at rest, and reasonable retention.

How SiteShadow detects it (high level)

• Recognizes logging APIs and flags when likely-sensitive variables/fields are logged (tokens, passwords, headers).
• Uses heuristics to reduce false positives (e.g., ignores obviously fake placeholders where possible).

References

• CWE-532: https://cwe.mitre.org/data/definitions/532.html

---

← Back to Vulnerability Library