A02 Cryptographic Failures - OWASP Top 10:2021
The A02 Cryptographic Failures vulnerability exposes sensitive data in web apps, from weak encryption to key management issues. Learn prevention strategies.
Overview
A02 Cryptographic Failures is the second most critical vulnerability in the OWASP Top 10:2021 list. It focuses on failures related to cryptography, which often lead to exposure of sensitive data. This includes issues such as the use of weak or outdated cryptographic algorithms, insecure key management, lack of encryption enforcement, and more.
Description
The A02 Cryptographic Failures vulnerability deals with the failures related to cryptography in web applications. These failures can lead to the exposure of sensitive data such as passwords, credit card numbers, and personal information. The vulnerability encompasses issues such as the use of weak cryptographic algorithms, insecure key management practices, lack of encryption enforcement, and improper handling of cryptographic errors.
How to Prevent ?
To prevent A02 Cryptographic Failures, it is important to follow best practices in cryptography. This includes properly classifying and protecting sensitive data, encrypting data at rest and in transit, using up-to-date and strong cryptographic algorithms, enforcing encryption through secure protocols like TLS, implementing secure key management practices, and avoiding the use of deprecated cryptographic functions and padding schemes.
Example Attack Scenarios:
Scenario 1: SQL Injection and Automatic Decryption: In this scenario, an application encrypts credit card numbers in a database using automatic database encryption. However, a SQL injection flaw allows an attacker to retrieve the credit card numbers in clear text, as the data is automatically decrypted when retrieved.
Scenario 2: Downgrading HTTPS to HTTP: In this scenario, a website does not use or enforce TLS for all pages or supports weak encryption. An attacker intercepts the user's session cookie by downgrading the connection from HTTPS to HTTP and replays the cookie to hijack the user's authenticated session. This allows the attacker to access or modify the user's private data.
Scenario 3: Hash Cracking through Unsalted Passwords: In this scenario, a password database uses unsalted or simple hashes to store passwords. An attacker exploits a file upload flaw to retrieve the password database and crack the unsalted hashes using pre-calculated rainbow tables or GPU-based cracking techniques.