This is the second entry in the OWASP (Open Web Application Security Project) Top 10 2021. It was previously known as Sensitive Data Exposure. It focuses on weaknesses or vulnerabilities related to cryptographic mechanisms which often lead to sensitive data exposure.
In today’s data-driven world, it is very critical to ensure that both data in transit and at rest are sufficiently protected. Data in transit refers to data that’s moving between systems while that at rest is data in storage or within databases. Data such as passwords, credit card numbers and personal information are especially attractive to malicious actors which makes them more susceptible to theft and/or misuse.
This vulnerability comes about when encryption fails. Some of the Notable Common Weakness Enumerations (CWEs) included are the Use of Hard-coded Password, Broken or Risky Crypto Algorithms, and Insufficient Entropy. If exploited, it can have very severe consequences. These include identity theft, financial fraud, privacy violations, and reputational Damage for individuals and organizations alike.
Testing
Cryptographic failures rank on the top of the OWASP list because it affects all three pillars of cybersecurity: Availability, Confidentiality and Integrity of data. When testing if your web application is vulnerable, some of the questions that can guide you include:
-
- Is any of the data on your web application transmitted or stored in clear text?
- Are there any weak or old cryptographic algorithms or protocols in use either by default or in older bits of the application?
- Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed?
- Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use?
- Are cryptographic error messages or side channel information exploitable, for example in the form of padding oracle attacks?
- Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? Are crypto keys checked into source code repositories?
- Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing?
- Is the received server certificate and the trust chain properly validated?
Mitigation
To mitigate against this, organizations should ensure that they stay up to date with security updates and patches that address vulnerabilities in cryptographic libraries and protocols. They should also employ industry-standard encryption algorithms and avoid deprecated ones. Robust key management practices, including secure key generation, storage, rotation and distribution mechanisms should be implemented. Web applications should also avoid storing sensitive data unnecessarily.
Don’t let your organization become another statistic in the OWASP Top 10 due to cryptographic failures. MerkleFence specializes in identifying and mitigating these vulnerabilities, ensuring your web application’s data remains secure. Our comprehensive security audits address the critical questions raised by OWASP, safeguarding your organization from sensitive data exposure. Take proactive measures to protect your customers, reputation, and bottom line. Contact MerkleFence today for a consultation and let us help you secure your web application’s cryptographic defenses. Talk to us.