OWASP Top 10 – A02: Cryptographic Failures

OWASP Top 10 – A02: Cryptographic Failures

What Is Cryptographic Failure?

Cryptographic Failures (formerly known as “Sensitive Data Exposure”) refer to the misuse, misconfiguration, or complete absence of encryption and cryptographic protocols in systems handling sensitive data.

It means your application is not properly protecting data such as:

  • Passwords
  • Credit card numbers
  • Health records
  • Personal Identifiable Information (PII)

In short: You have sensitive data, but it’s not being handled securely — or worse, not encrypted at all.

Why Is It Dangerous?

  • Exposed personal or financial data can lead to identity theft, fraud, and legal consequences.
  • Weak encryption allows attackers to decrypt stolen data.
  • Non-compliance with regulations like GDPR, HIPAA, or PCI DSS.

Common Real-World Examples

1. Storing Passwords in Plaintext

Username: alice  
Password: mysecretpassword

Anyone who accesses the database sees passwords in clear text. If the DB is leaked, all accounts are immediately compromised.

Best Practice: Always hash passwords with a strong algorithm (e.g., bcrypt, Argon2).

2. Using Weak Hashing Algorithms

  • MD5 and SHA-1 are considered broken.
  • These algorithms are vulnerable to collision attacks and rainbow tables.
  • If used for passwords, they can be cracked in seconds.

Use bcrypt, PBKDF2, scrypt, or Argon2 with proper salting and iteration count.

3. Lack of HTTPS

An application sends login credentials over plain HTTP:

POST http://example.com/login

An attacker using a Wi-Fi sniffer (e.g., Wireshark) can see the username and password.

Use HTTPS (TLS 1.2 or 1.3) for all data in transit — not just logins.

4. Insecure Data at Rest

  • Storing credit card numbers or customer addresses unencrypted on disk.
  • If the server is compromised, the attacker reads everything instantly.

Sensitive data should be encrypted using secure symmetric algorithms like AES-256.

5. Hardcoded Secrets in Source Code

const jwtSecret = "mySuperSecretKey123!";

Putting secrets, API keys, or encryption keys in code (especially in public repositories) is dangerous.

Use environment variables or secret managers (AWS Secrets Manager, HashiCorp Vault, etc.).

Other Common Failures

  • Missing or weak TLS configuration (e.g., TLS 1.0 or self-signed certificates).
  • Using ECB mode for AES (electronic codebook leaks patterns).
  • No key rotation policy — keys are static and reused forever.
  • Failing to use HMAC to protect integrity of tokens or messages.

Common Sensitive Data You Must Protect

  • Passwords
  • Financial data (credit cards, IBAN)
  • Health information (HIPAA)
  • Government ID numbers
  • Authentication tokens (JWTs, session IDs)
  • Personal data (address, email, phone)
  • Confidential business data

How to Prevent Cryptographic Failures

1. Encrypt All Sensitive Data — in Transit and at Rest

  • Use TLS 1.2 or 1.3 (HTTPS)
  • Use AES-256-GCM or similar secure symmetric encryption for data at rest

2. Hash Passwords Properly

  • Never store passwords in plaintext
  • Use:
    • bcrypt
    • Argon2
    • PBKDF2
      with proper salting and cost factors

3. Avoid Weak or Deprecated Algorithms

  • ❌ Do not use: MD5, SHA-1, DES, RC4, RSA < 2048 bits
  • ✅ Do use: SHA-256+, AES-256, RSA-2048+, ECC (like Curve25519)

4. Secure Key Management

  • Never hardcode encryption keys
  • Store keys in secure key vaults
  • Rotate keys periodically
  • Enforce access control for who can retrieve keys

5. Disable Caching of Sensitive Data

Prevent browsers and proxies from caching sensitive information:

Cache-Control: no-store

6. Validate Certificates

  • Always verify SSL/TLS certificates
  • Prevent MITM attacks by rejecting invalid/self-signed certs

Tools to Test Cryptographic Security

  • SSL Labs (by Qualys) – Test your site’s TLS configuration
    https://www.ssllabs.com/ssltest/
  • testssl.sh – Terminal tool to check your server’s SSL
  • TruffleHog – Scans code repositories for secrets
  • Talisman – Git hook to block hardcoded keys
  • Burp Suite/ZAP – Inspect HTTPS usage, cookie flags, and token handling

Bonus: Terms You Should Understand

TermDefinition
EncryptionReversible method of hiding data using keys
HashingIrreversible transformation, usually for passwords
SaltingAdding random data to passwords before hashing
Symmetric EncryptionSame key for encryption & decryption (e.g., AES)
Asymmetric EncryptionPublic/private key pair (e.g., RSA, ECC)
TLSProtocol for secure communication over networks
HMACUsed to ensure integrity of messages

Cryptographic Failures are like leaving your front door unlocked — or worse, leaving it open with your passwords taped to the fridge.

To build secure applications:

  • Use modern cryptographic practices
  • Protect sensitive data throughout its lifecycle
  • Regularly audit your implementation and tools

Leave a Reply

Your email address will not be published. Required fields are marked *