CWE-757 Selection of Less-Secure Algorithm
What this means
SiteShadow flagged a pattern where the system can be coerced into using weaker/legacy cryptography than intended (older TLS versions, weak cipher suites, permissive "compatibility" fallbacks, or algorithm negotiation without a strict minimum).
Why it matters
Attackers can force weaker algorithms or protocols.
- Downgrade attacks: force use of older TLS/protocols or weak ciphers that are easier to break.
- Loss of confidentiality/integrity: attackers can read or tamper with traffic if a weak mode is negotiated.
- Compliance risk: enabling legacy crypto can violate security baselines.
Safer examples
1) Set strict minimum TLS versions (Node.js)
import https from "https";
export const agent = new https.Agent({
minVersion: "TLSv1.2", // or TLSv1.3 when possible
});2) Avoid "allow insecure fallback" switches
Remove options like "accept legacy", "allow insecure renegotiation", or "disable certificate checks" (see CWE-295 / T01).
3) Prefer modern algorithms and modes by default
For encryption, use AEAD modes (e.g., AES-GCM, ChaCha20-Poly1305) and avoid deprecated algorithms/modes.
How SiteShadow detects it (high level)
- Flags configuration/options that enable weak algorithms, legacy protocol versions, or insecure negotiation/fallback behavior.
- Prioritizes cases in networking/crypto code paths and security-sensitive clients/servers.
References
- CWE-757: https://cwe.mitre.org/data/definitions/757.html
---