OWASP Top 10 part 2: Cryptographic Failures

21 October 2024 7 minutes Author: Lady Liberty

Cryptographic errors are flaws in the implementation of cryptography that can lead to data leakage or compromise.

1. Use of outdated algorithms

  • Description: Use of outdated or unsafe cryptographic algorithms or protocols.

  • Example: Using MD5 to hash passwords instead of more modern algorithms like bcrypt or Argon2, which can easily crack hashes.

2. Insufficient data encryption

  • Description: Incorrect or insufficient encryption of sensitive data.

  • Example: Storing passwords in plain text or using weak encryption keys, making data accessible to attackers.

3. Unreliable storage of keys

  • Description: Storage of cryptographic keys in untrusted locations or without adequate protection.

  • Example: Storing cryptographic keys in application code or configuration files accessible to attackers.

4. Weak session management

  • Description: Insecure session management that allows attackers to intercept or spoof user sessions.

  • Example: Using predictable or not sufficiently complex session identifiers that can be easily guessed or forged.

Encoding, Encryption, Hashing

 Blue team. HTML Entities

HTML entities – are special characters used to replace unsafe or reserved characters in HTML code to prevent them from being misinterpreted by the browser.

Example:

  • Original code: <script>alert(‘XSS’);</script>

  • Coded: &lt;script&gt;alert(‘XSS’);&lt;/script&gt;

HTML code is interpreted as text in the browser, not as executable code, which prevents XSS attacks.

Red team

If a website does not correctly process HTML code and does not properly encode input data, an attacker can use an XSS (Cross-Site Scripting) attack to execute JavaScript code on the client side. This can allow it to hijack user sessions, insert malicious scripts, or modify data on a page.

Example:

An attacker enters: <script>alert(‘XSS’);</script> into an input form, and if the data is not properly encoded, this script will be executed in another user’s browser.

Blue team

URL encoding (also known as percent encoding) is used to ensure that special characters are passed in URLs. This is necessary to avoid conflicts with special characters that have meaning in the URL structure.

Example:

  • Original text: lorem with !@#$%^

  • Coded: lorem+with+%21%40%23%24%25%5E

Special characters are encoded in the format %XX, where XX is the hexadecimal ASCII value of the character code.

Red team

Attackers can use URL encoding to bypass web application filters. For example, if the server filters out dangerous characters such as < and >, an attacker could encode them into %3C and %3E and inject malicious code.

Example:

URL encoding can be used to bypass SQL injection filters or XSS attacks. An attacker could encode a malicious SQL query or JavaScript code and enter it into a form on a site that does not validate and decode this data properly.

Blue team

Base64 is a way of encoding data that converts it into a format that consists only of characters that can be represented as text (letters, numbers, and a few special characters). This method is usually used to transfer binary data such as images or files in text format.

Example:

  • Original text: this is original text

  • Coded: dGhpcyBpcyBvcmlnaW5hbCB0ZXh0

Base64 encodes data as text that can be transmitted over text-based protocols.

Red team

Red Team Perspective:

Attackers        can       use Base64        to    hide malicious code or data in a format invisible to the user, making it difficult to detect an attack.

Example:

An attacker can base64 encode malicious JavaScript code and embed it in a web page or email. Once decoded, this code can execute and cause harm to the user’s system.

 HTTP/HTTPS

Blue team

HTTP is a protocol designed for the transfer of hypertext, which enables the exchange of data between a client (such as a web browser) and a server. It is the main protocol used to download web pages and transfer information over the Internet.

How HTTP works:

  • A client (for example, a browser) sends an HTTP request to a web server asking for a specific resource (for example, a web page).

  • The server responds to the request by sending back a resource, which can be an HTML file, an image, or some other type of data.

Red team

HTTP is a dangerous protocol because it transmits data in the open, without encryption. This allows attackers to intercept information during a man-in-the-middle (MITM) attack. Such access allows them to obtain sensitive data, including passwords, session tokens, and other sensitive information.

Example:

  • MITM attack: An attacker can use a network sniffer, such as Wireshark, to intercept HTTP traffic and read the transmitted data, such as logins and passwords.

  • Session Hijacking: Using intercepted data such as session cookies, an attacker can hijack a user’s session and gain access to their account.

Blue team

HTTPS is a secure version of HTTP that applies encryption to ensure the confidentiality, integrity, and authenticity of the data being transmitted. To protect data, HTTPS uses the TLS (Transport Layer Security) protocol or its predecessor SSL (Secure Sockets Layer).

How HTTPS works:

  • When using HTTPS, all data between the client and the server is encrypted, which protects them from interception and modification.

  • HTTPS also provides server authentication using digital certificates to confirm that the client is connecting to the correct server and not a fake one.

Red team

Red Team Perspective:

HTTPS is not completely secure. Although HTTPS encrypts data, it does not protect against other types of attacks. For example, if the server is configured incorrectly, attackers can perform SSL-stripping attacks or exploit vulnerabilities in the TLS/SSL implementation.

Example:

SSL-Stripping: An attacker intercepts traffic and replaces HTTPS with HTTP during a request. The user sees a normal HTTP page, thinking it is secure, and all data is transmitted in the clear.

TLS Attacks: Vulnerabilities in older versions of SSL/TLS, such as POODLE, can be used to decrypt data or perform other privacy attacks.

Storage of confidential data

 Blue team

Protect sensitive data with encryption. To ensure the protection of sensitive information that may be used in the future, it should be stored in encrypted form. This ensures that even if the data is stolen or hacked, access to it will be restricted to unauthorized persons.

An example of encryption:

Red team

Encryption key attack: Attackers may attempt to discover weaknesses in encryption algorithms or vulnerabilities in their implementation, which could allow them to gain access to encrypted data.

Example:

  • A weak password attack: If the password or passphrase is weak, an attacker can perform a brute-force attack and gain access to the data. For example, using tools like Hashcat, you can automate key selection.

  • IV attack: If the initialization vector (IV) is too short or repeated, an attacker can try to decrypt the data using ciphertext attacks.

Blue team

Password storage using hashing. Passwords should be stored as a hash, not in the plaintext, to ensure they are protected in the event of a database leak.

Example of password hashing:

Red team

Hash attack: If password hashes are stored without proper additional protection, attackers can use methods such as Rainbow Tables or brute-force attacks to crack passwords.

Example:

  • Weak hashing: If a weak or outdated hashing algorithm (such as MD5 or SHA1) is used, attackers can quickly crack passwords.

  • Attack on salt (salt): If hashing is done without adding salt (random salt), an attacker can use pre-calculated tables (Rainbow Tables) to reveal hashes.

Other related articles
OWASP Top 10
Read more
OWASP Top 10 part 1: Broken Access Control
Broken Access Control is one of the most dangerous vulnerabilities in the OWASP Top 10 list, which allows attackers to bypass access control mechanisms, gain access to sensitive data, and perform unauthorized operations.
108
Found an error?
If you find an error, take a screenshot and send it to the bot.