# Insufficiently Protected Credentials (CWE-522)

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

- Prevalence: 高 无 Shoulder 规则
- Impact: 中 OWASP Top 10 #7
- Prevention: 查看 MITRE 外部参考

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

When credentials are not properly protected during transmission or storage, attackers can capture them and use them to impersonate legitimate users.

## Prevention

## Consequences

- 获取权限
- 绕过保护机制

## Mitigations

- 对所有凭据传输使用 TLS
- 使用带 salt 的强单向哈希存储凭据
- 使用安全的凭据存储机制