Cryptographic Failures— OWASP Top 10

Suraj Dhamak
4 min readFeb 18, 2022

Cryptographic Failure is listed second in the OWASP Top 10–2021. According to 2017 list this vulnerability was at third position and earlier it was known as Sensitive Data Exposure. Basically this vulnerability focuses on failures in the cryptography mechanism which often leads to exposure of sensitive data.

To understand this vulnerability we need to understand two major concepts, Cryptography and Sensitive Data. Lets start with cryptography.

Cryptography

Lets see if you can read this ….
Hello world

Ohh great you were able to read and understand the text given above !

Now lets check if you can read and understand the text given below…
Khoor zruog

Hard luck …..of course you can read it ….but you cant understand the meaning

This is the magic of cryptography….lets try and break the code given above
Khoor zruog

K : Shift back by 3 → H
H : Shift back by 3 → E
O : Shift back by 3 → L
O : Shift back by 3 → L
R : Shift back by 3 → O

Z : Shift back by 3 → W
R : Shift back by 3 → O
U : Shift back by 3 → R
O : Shift back by 3 → L
G : Shift back by 3 → D

Cryptography is nothing but a technique or a mechanism used to convert data from plain text format [ Hello World ] to cypher text / secret text [ Khoor zruog ] There are major two types of cryptography, symmetric key cryptography and asymmetric key cryptography and number of cryptography algorithms fall under these two categories. We will see about the types and algorithms of cryptography , some other day in some other post. This was the shallow overview of cryptography which is quite enough to understand the further concepts.

Sensitive Data

In simple terms, data is nothing but set of values of qualitative or quantitative variables or constants. Every piece of data cannot be considered as sensitive. Piece or block of data which needs to be protected or the data which should not be accessed by unintended individuals is termed as sensitive data.

Cryptographic Failure — OWASP Top 10

We just saw, what sensitive data is ?
Now its very obvious, if something is termed to be sensitive it should be protected. Now the question comes ….how to protect it ?
This is where cryptography comes in and plays a major role.
While building any application or providing or accessing any kind of service over the internet, huge amount of data flow is involved. This huge amount of data also includes sensitive data. This data can either be stagnant [ stored somewhere ] or it maybe in transit [ travels from one node to another over the network ]

Lets imagine a scenario :
While browsing over the internet, John encounters an amazing e-commerce website [www.example.com].He decides to buy something and starts browsing that website. He finds an amazing smartphone and he decides to buy the same. After adding that product to the cart and checking out, John comes at the payment gateway. There John is asked to provide the 16 digit number of his Debit card along with the CVV [Now this is very sensitive data].
In this case www.example.com stores your sensitive data on its server/database. If the admin or the developer has used some weak encryption technique to store your sensitive data then its a matter of risk.
If any attacker breaks that mechanism of encryption, he can easily get access to your sensitive data. This is called as CRYPTOGRAPHIC FAILURE which leads to Sensitive Data Exposure.

What are the factors which can lead to cryptographic failure

  • Old or weak cryptography algorithms :
    Use of old , deprecated cryptographic algorithms can be dangerous. Attackers already know the mechanism to break down such old algorithms
  • Use of default crypto keys :
    While setting up any cryptography mechanism, some default keys are provided. These keys help us to convert cypher text to plain text and vice a versa. These default keys are already known to attackers or any normal user. The system administrator should always set up new keys [ i.e. change those default keys and set new keys which are not known to common users ]. If such default keys are used on live systems, then the attackers can easily break the cryptography mechanism and access the sensitive data.
  • Use of deprecated hash functions :
    A hash function basically takes the data of arbitrary length as input and converts it into fixed length data. Hash functions are majorly used in cryptography algorithms. If these functions are deprecated then it becomes very easy for the attacker to break into the mechanism and access the sensitive data.

There are many more such reasons / factors which may lead to cryptographic failure there by exposing the sensitive data.

This was a short and crisp overview of Cryptographic Failure .

To get a brief overview of OWASP Top 10 check my previous blog
OWASP Top 10 2021

I hope this was quite informative. For any queries please feel free to connect
LinkedIn

Happy Learning !!

Source : OWASP Foundation | Open Source Foundation for Application Security

DISCLAIMER : This article is intended for educational purpose, author of this writer is not responsible for any illegal action imparted by the readers.

--

--