CWE-532 Sensitive Information in Log Files
Coverage: 11 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 11 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged logging that may include secrets (tokens, passwords, API keys), sensitive headers/cookies, or private user data.
Why it matters
Logs are often widely accessible and long-lived.
- Logs spread into third-party systems, support channels, and backups.
- Long retention means the exposure can persist after code is fixed.
- Secrets in logs often lead directly to account compromise.
Safer examples
1) Don't log raw secrets or headers
Avoid logging Authorization, cookies, and full request bodies by default.
2) Redact before logging
def redact(value: str) -> str:
if not value:
return ""
return value[:4] + "…"
logger.info("tokenPrefix=%s", redact(token))
3) Restrict access and retention
Treat logs as sensitive data: least-privilege access, encryption at rest, and reasonable retention.
How SiteShadow detects it (high level)
- Recognizes logging APIs and flags when likely-sensitive variables/fields are logged (tokens, passwords, headers).
- Uses heuristics to reduce false positives (e.g., ignores obviously fake placeholders where possible).
References
- CWE-532: https://cwe.mitre.org/data/definitions/532.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.