Missing data encryption for PII
About A02:2021 — Cryptographic Failures
Cryptographic failures cover everything from hardcoded secrets in source code to using broken algorithms (MD5, SHA-1) to transmitting passwords in plaintext. AI coding tools frequently generate this category of bug because the safe alternatives require knowing about libraries the model wasn't trained heavily on.
Impact: When this class ships, it's usually a data breach. Hardcoded API keys end up on GitHub and get scraped within minutes. Weak password hashing means a single database leak unlocks every user's password. Plaintext-over-HTTP endpoints get sniffed on public WiFi.
How to fix it: Never store secrets in source code — use environment variables and a secret manager. Use bcrypt/argon2 for password hashing, not MD5/SHA-1. Always use HTTPS in production. Use the platform's modern crypto APIs instead of rolling your own.
Common patterns in this category:
- Hardcoded API keys, tokens, or passwords committed to git
- MD5 or SHA-1 used for password hashing instead of bcrypt/argon2
- Sensitive data sent over HTTP instead of HTTPS
- Encryption keys stored alongside the encrypted data
- Custom crypto implementations instead of vetted libraries
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC107 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .