Day 4: OWASP Top 10 2021 – #2 Cryptographic Failure

Cryptographic Failure was formerly known as Sensitive Data Exposure, and it jumped from third to second place on the 2021 list. It focuses on cryptographic failures, which frequently result in the exposing of sensitive data or system compromise. Cybersecurity specialists use cryptography to create algorithms, ciphertext, and other security measures that codify and secure company and consumer information. Cryptography, in simple terms, is the study of secure communications techniques that allow only the sender and intended recipient of a message to read its contents. It is used to keep private passwords and other sensitive information safe online.

Due to the possibility of cryptographic errors, data in transit and at rest, including passwords, credit card numbers, health records, personal information, and company secrets, needs additional security (sensitive data exposures). This is particularly true if the data is covered by any privacy regulations, including GDPR, CCPA, and others. Is there any plain text data sent? Exist any cryptographic protocols or old algorithms that are used by default? Is it feasible that weak crypto keys are being generated and used repeatedly, default crypto keys are being used, or proper key management and rotation are being disregarded? Can cryptographic keys be checked into source code repositories? Is the received data encrypted, and is encryption enforced?

The following actions can lead to a cryptographic failure flaw:

  • Save data using outdated or inadequate encryption.
  • Store or send data in clear text 
  • Filter or hide data in transit incorrectly

A scenario of the attack: The password database stores everyone’s credentials using plain or unsalted hashes. An attacker could retrieve the password database using a file upload bug. A rainbow table of pre-calculated hashes can be used to reveal all the unsalted hashes. GPUs may be able to decrypt hashes produced by quick or simple hash algorithms, even if they were salted.

Correction of Cryptographic Failures
  • Delete the autocomplete feature from data collection forms.
  • minimize/reduce the data surface area’s size.
  • Data should be encrypted both in transit and at rest.
  • Utilize the most recent encryption methods.
  • Disable caching on forms that collect data.
  • When saving passwords, use strong adaptive and salted hashing methods.
List To The Mapped 29 CWEs Regarding Cryptographic Failure
References To Get More Understanding of Cryptographic Failures.

This will be all for the Day 4 post. Hope you enjoyed it, kindly let me know in the comments section. Be sure to check out other blog posts of interest or come back tomorrow for the next day’s post. 😊