SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-532 Sensitive Information in Log Files

Coverage: 11 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 11 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged logging that may include secrets (tokens, passwords, API keys), sensitive headers/cookies, or private user data.

Why it matters

Logs are often widely accessible and long-lived.

Safer examples

1) Don't log raw secrets or headers

Avoid logging Authorization, cookies, and full request bodies by default.

2) Redact before logging

def redact(value: str) -> str:
    if not value:
        return ""
    return value[:4] + "…"

logger.info("tokenPrefix=%s", redact(token))

3) Restrict access and retention

Treat logs as sensitive data: least-privilege access, encryption at rest, and reasonable retention.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.