CWE-757: Selection of Less-Secure Algorithm

Overview

This guidance helps you interpret and remediate findings from DAST (Dynamic Application Security Testing) tools. The scanner detected that the application's cryptographic negotiations accept weak or insecure algorithms when offered by the client. Evidence includes TLS connections successfully negotiating weak cipher suites (3DES, RC4), downgrade to SSL 3.0 or TLS 1.0, or acceptance of weak hash algorithms. The scanner deliberately proposes weak algorithms and observes successful negotiation in TLS handshakes or API communications.

Analyzing the Dynamic Scan Result

What the DAST Scanner Found

DAST findings for CWE-757 typically indicate that the application or an exposed interface selected a less-secure algorithm at runtime, such as:

• Weak or deprecated cryptographic algorithms being negotiated or used
• Tokens, signatures, or hashes produced using algorithms that do not meet current security requirements
• Configuration allowing downgrade to weaker algorithms

Evidence is based on observed cryptographic behavior and metadata (e.g., negotiated options, headers, or emitted token/signature properties), not on request parameters or payload syntax.

Mapping DAST Findings to Source Code

CWE-757 typically does not map to a single endpoint or request parameter. The issue resides in how the application selects cryptographic algorithms (by code, configuration, or library defaults).

When tracing this issue, review:

• Central crypto utility modules and configuration
• TLS/cipher suite settings (if the finding relates to transport)
• Token/signature generation and verification settings (e.g., JWT/JWS)
• Password hashing configuration (algorithm and parameters)
• Backward-compatibility or “accept legacy” paths that enable weaker algorithms

Remediation

Core Principle: Never allow security guarantees to depend on a weak or legacy algorithm; algorithm selection must be server-controlled and restricted to a small allowlist of approved, modern primitives for each use case.

→ For comprehensive remediation guidance, see Static CWE-757 Guidance

Verification and Follow-Up Testing

After applying the fix:

• Confirm the application can no longer negotiate or emit the weaker algorithm
• Verify algorithm choices are restricted to the approved allowlist in configuration and code paths
• Validate compatibility paths do not re-enable legacy algorithms in production

Re-run the DAST scanner to confirm the original weak-algorithm signal is no longer observed.

Additional Resources

• CWE-757: Selection of Less-Secure Algorithm
• Mozilla TLS Configuration.
• OWASP TLS Cheat Sheet
• OWASP Top 10 2025
• OWASP Top 10 2025 A04: Cryptographic Failures