In the second entry of this ten-part blog series, we will be taking a look at A02:2021: Cryptographic Failures. This, the second entry in OWASP’s Top Ten list is described as more of a broad symptom rather than a root cause of vulnerability, and specifically points at failures that occur owing to a lack of appropriate cryptography. Such a lack can often lead to the unauthorised exposure of data, sensitive or otherwise.
An example of insufficient cryptographic functions leading to a failure could be a web application hosted by an entity that does not enforce the use of a secure protocol such as HTTPS. If, instead, a user is allowed to submit their data over a connection using the HTTP protocol, their data is sent to the server in clear text. This data can be captured by an attacker who has placed themselves between the victim and the intended destination, allowing the attacker access to that user’s credentials.
Several areas of risk that can be attributed to cryptographic failures include:
- The use of any outdated algorithms or weak keys.
- Storing sensitive data (such as passwords) but not encrypting the data in the first place (hashing, salting etc.).
- Insecure or inadequate management of important cryptographic keys.
- The lack of Data-in-Transit Encryption in a site, such as allowing information to be sent over a HTTP connection as described above.
- The use of FTP (File Transfer Protocol) in a system inadequately storing data, allowing for the plain-text transfer of any files located on that system.
Preventing Cryptographic Failures
When attempting to prevent instances of cryptographic failure, it is helpful to implement the following best practises:
- Ensure that any access tokens and keys are stored securely and only accessible by those authorised to do so. Additionally, rotate keys periodically and revoke their permissions when they are no longer necessary.
- Ensure the use of up to date, supported algorithms for encryption, such as AES over MD5 and RSA/DSA or ECC for keys.
- Ensure that data is transported securely, for example using SFTP over FTP and HTTPS over HTTP.
- Store password using strong, salted hashing functions, such as Argon2 or bcrypt.
- Always use authenticated encryption over just encryption where possible.
- Never store sensitive data if it is not necessary to do so. It is better to discard the data over storing it indefinitely, as accessing destroyed data is even harder than accessing strongly encrypted data.
It is very important to ensure strong cryptographic controls are in place when handling data on a web application. Doing so ensures that both clients and organisations are doing their level best to keep data safe and secure from unauthorised attempts to steal this data and use it for their own purposes.
When conducting penetration tests against a client’s web application, the team at CyberWhite follow the OWASP framework closely. This allows us to check applications against the OWASP Top Ten list, including Cryptographic Failures as explored in this blog post.