CWE-759 Use of a One-Way Hash without a Salt
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged password/credential hashing that does not use a unique salt. Without a salt, identical passwords produce identical hashes, making offline cracking much easier.
Why it matters
Unsalted hashes are vulnerable to rainbow table attacks.
- Fast offline cracking after a database leak (precomputed tables work well without salts).
- Password reuse correlation: attackers can spot users who share the same password.
- Higher breach impact: even "strong-ish" passwords fall quickly at scale.
Safer examples
1) Use a password hashing algorithm that includes salts (recommended)
Use Argon2id, bcrypt, scrypt, or PBKDF2 (see CWE-916).
import bcrypt
pw_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())
2) Never use raw SHA-256/MD5 for passwords
Fast general-purpose hashes are not password hashing.
3) Store and verify correctly
Store the full encoded hash output (which includes the salt/params), and verify using the library's verify function.
How SiteShadow detects it (high level)
- Detects one-way hashing used for password storage without per-password salts.
- Flags use of fast hashes (MD5/SHA1/SHA256) for password-like fields.
References
- CWE-759: https://cwe.mitre.org/data/definitions/759.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.