SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-757 Selection of Less-Secure Algorithm

Coverage: 6 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 6 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a pattern where the system can be coerced into using weaker/legacy cryptography than intended (older TLS versions, weak cipher suites, permissive "compatibility" fallbacks, or algorithm negotiation without a strict minimum).

Why it matters

Attackers can force weaker algorithms or protocols.

Safer examples

1) Set strict minimum TLS versions (Node.js)

import https from "https";

export const agent = new https.Agent({
  minVersion: "TLSv1.2", // or TLSv1.3 when possible
});

2) Avoid "allow insecure fallback" switches

Remove options like "accept legacy", "allow insecure renegotiation", or "disable certificate checks" (see CWE-295 / T01).

3) Prefer modern algorithms and modes by default

For encryption, use AEAD modes (e.g., AES-GCM, ChaCha20-Poly1305) and avoid deprecated algorithms/modes.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.