Day 4: OWASP Top 10 2021 – #2 Cryptographic Failure

Cryptographic Failure was formerly known as Sensitive Data Exposure, and it jumped from third to second place on the 2021 list. It focuses on cryptographic failures, which frequently result in the exposing of sensitive data or system compromise. Cybersecurity specialists use cryptography to create algorithms, ciphertext, and other security measures that codify and secure company and consumer information. Cryptography, in simple terms, is the study of secure communications techniques that allow only the sender and intended recipient of a message to read its contents. It is used to keep private passwords and other sensitive information safe online.

Due to the possibility of cryptographic errors, data in transit and at rest, including passwords, credit card numbers, health records, personal information, and company secrets, needs additional security (sensitive data exposures). This is particularly true if the data is covered by any privacy regulations, including GDPR, CCPA, and others. Is there any plain text data sent? Exist any cryptographic protocols or old algorithms that are used by default? Is it feasible that weak crypto keys are being generated and used repeatedly, default crypto keys are being used, or proper key management and rotation are being disregarded? Can cryptographic keys be checked into source code repositories? Is the received data encrypted, and is encryption enforced?

The following actions can lead to a cryptographic failure flaw:

• Save data using outdated or inadequate encryption.
• Store or send data in clear text 
• Filter or hide data in transit incorrectly

A scenario of the attack: The password database stores everyone’s credentials using plain or unsalted hashes. An attacker could retrieve the password database using a file upload bug. A rainbow table of pre-calculated hashes can be used to reveal all the unsalted hashes. GPUs may be able to decrypt hashes produced by quick or simple hash algorithms, even if they were salted.

Correction of Cryptographic Failures

• Delete the autocomplete feature from data collection forms.
• minimize/reduce the data surface area’s size.
• Data should be encrypted both in transit and at rest.
• Utilize the most recent encryption methods.
• Disable caching on forms that collect data.
• When saving passwords, use strong adaptive and salted hashing methods.

List To The Mapped 29 CWEs Regarding Cryptographic Failure

• CWE-261 Weak Encoding for Password
• CWE-296 Improper Following of a Certificate’s Chain of Trust
• CWE-310 Cryptographic Issues
• CWE-319 Cleartext Transmission of Sensitive Information
• CWE-321 Use of Hard-coded Cryptographic Key
• CWE-322 Key Exchange without Entity Authentication
• CWE-323 Reusing a Nonce, Key Pair in Encryption
• CWE-324 Use of a Key Past its Expiration Date
• CWE-325 Missing Required Cryptographic Step
• CWE-326 Inadequate Encryption Strength
• CWE-327 Use of a Broken or Risky Cryptographic Algorithm
• CWE-328 Reversible One-Way Hash
• CWE-329 Not Using a Random IV with CBC Mode
• CWE-330 Use of Insufficiently Random Values
• CWE-331 Insufficient Entropy
• CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator(PRNG)
• CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
• CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
• CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)
• CWE-340 Generation of Predictable Numbers or Identifiers
• CWE-347 Improper Verification of Cryptographic Signature
• CWE-523 Unprotected Transport of Credentials
• CWE-720 OWASP Top Ten 2007 Category A9 – Insecure Communications
• CWE-757 Selection of Less-Secure Algorithm During Negotiation(‘Algorithm Downgrade’)
• CWE-759 Use of a One-Way Hash without a Salt
• CWE-760 Use of a One-Way Hash with a Predictable Salt
• CWE-780 Use of RSA Algorithm without OAEP
• CWE-818 Insufficient Transport Layer Protection
• CWE-916 Use of Password Hash With Insufficient Computational Effort

References To Get More Understanding of Cryptographic Failures.

1. https://owasp.org/Top10/A02_2021-Cryptographic_Failures/
2. https://www.acunetix.com/blog/web-security-zone/sensitive-data-exposure/

This will be all for the Day 4 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 😊