SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-759 Use of a One-Way Hash without a Salt

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 3Other-pattern 2 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged password/credential hashing that does not use a unique salt. Without a salt, identical passwords produce identical hashes, making offline cracking much easier.

Why it matters

Unsalted hashes are vulnerable to rainbow table attacks.

Safer examples

1) Use a password hashing algorithm that includes salts (recommended)

Use Argon2id, bcrypt, scrypt, or PBKDF2 (see CWE-916).

import bcrypt

pw_hash = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt())

2) Never use raw SHA-256/MD5 for passwords

Fast general-purpose hashes are not password hashing.

3) Store and verify correctly

Store the full encoded hash output (which includes the salt/params), and verify using the library's verify function.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.