SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-760 Predictable Salt in One-Way Hash

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a salt that appears static or predictable (hardcoded constant, reused across users, derived from usernames or timestamps). A salt needs to be unique and unpredictable per password hash.

Why it matters

Predictable salts reduce the effectiveness of hashing defenses.

Safer examples

1) Use a password hashing library that generates salts for you

import bcrypt from "bcryptjs";

const hash = await bcrypt.hash(password, 12); // salt generated internally

2) If you manage salts manually, generate random per-user salts

import secrets

salt = secrets.token_bytes(16)  # per password

3) Don't derive salts from user data

Avoid salts like salt = username or salt = created_at. Use randomness.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.