How to Make the Most of a Devastating Penetration Test Report
Learn how to make the best out of a negative penetration test report, and learn why a negative report isn't always a bad thing!
OWASP Top 10 2021 details dangerous & potential vulnerabilities. An introduction to the second position on the list, cryptographic failures.
TL;DR:
Cryptography comprises the tools and techniques used to protect data at rest and in transit to uphold the ideology of the CIA Triad. We are quite known for “not rolling your crypto”. By using a widely accepted standard, you have some level of assurance that the algorithm will not be flawed. You only need to ensure that its implementation is secured. But this assurance is not always completely true. Traditional encryption techniques are not enough due to the rapidly changing threat environment. Weak encryptions might result in the exposure of sensitive data through potential vulnerabilities. This is known as a cryptographic failure. In this article, we’ll discuss in detail, what a cryptographic failure is, and how cryptographic failures affect businesses. In this article, we’ll delve into an introduction to cryptographic failures, exploring their impact on data security. Subsequently, we’ll discuss some examples and mitigation techniques.
OWASP Top 10 list was out in 2021 and as usual, it has enlightened us about the most dangerous and potential vulnerabilities. And cryptographic failure (previously known as Sensitive Data Exposure) has occupied the second position in the list of Top 10 vulnerabilities. So what is this all about?
As per OWASP, cryptographic failure is a symptom instead of a cause. Any failure responsible for the exposure of sensitive and critical data to an unauthorized entity can be considered a cryptographic failure.
There can be various reasons for cryptographic failure. Some of the Common Weakness Enumerations (CWEs) are:
So what happens when these weaknesses turn into failures? How do cryptographic failures affect businesses? Now that we have an idea of what cryptographic failure is, let’s try to understand how it impacts an organization and individuals.
Cryptographic failures have led to significant security breaches in various real-world scenarios. The Heartbleed vulnerability exposed sensitive information in OpenSSL implementations, while the Dual EC DRBG backdoor raised concerns about intentional weaknesses in encryption algorithms. WhatsApp's flaw allowed attackers to inject spyware through voice calls, compromising user privacy. The Exactis debacle resulted in the exposure of 340 million individual records, including names, phone numbers, and emails of US citizens. Similarly, Facebook faced a major incident where millions of user passwords were stored in plain text, accessible to employees. These examples underscore the critical importance of robust cryptographic practices and the potential consequences of failures in encryption systems, highlighting the need for continuous vigilance and improvement in cybersecurity measures.
Poor cryptography directly affects the security of an application and its data. Lack of security can let attackers steal and modify data to conduct fraud, and identity theft, which can lead to serious consequences.
Attackers try to steal keys, execute man-in-the-middle attacks, or steal data from the server, in transit, or from the browser. This again leads to compromise in sensitive information.
The impact of a cryptographic failure is not limited to stealing a piece of information from/of a user. Attackers can get hold of a complete database having thousands of sensitive information, data theft, public listing, breaches, and many critical problems with business-related data. You can also imagine a scenario where the credentials of an admin are stolen and the attacker gets complete control of a server. Cryptographic failures can result in irreparable damage to reputation and heavy lawsuits.
Let's say you have an application up and running. Now you want to assess if your application is vulnerable to cryptographic failures. Of course, if you want an answer to that backed by rigorous tests, you need to wait for those tests to happen. But some aspects are so simple that just asking yourself a couple of questions can give you a sense of confidence.
Here are some of those questions:
If your answer to any of these questions is a “yes”, then you’re vulnerable to cryptographic failures. To understand how these questions decide your crypto-security and see how cryptographic failures happen, let’s look at some examples.
Just encoding passwords is not enough in this era. With powerful tools and techniques, unsalted hashes are not very difficult to crack. Password salting makes it difficult for any password cracking technique as the salt adds additional length to the password. The longer the salt, the more difficult it gets. However, If you’re storing unsalted passwords, an attacker can use a rainbow table to crack these passwords.
Modern database management systems are taking cryptography seriously. That’s why they provide features like transparent data encryption (TDE) that take care of the encryption of data as they’re written into the database. But the problem is that this data is also automatically decrypted when you retrieve it. So this still makes it vulnerable to cryptographic failures from techniques such as SQL injections.
Supposedly a website does not use strong protocol. Attackers can take advantage of this and get access to your network traffic. This is not just limited to spying on the network traffic. To think of possibilities, an attacker can access all the requests made through your browser, modify requests, and steal cookies of users’ sessions. They can also force the connection from HTTPS to HTTP to get access to decrypted data. This can be fatal as sensitive and highly confidential data is being exposed.
You’ve probably heard of many cases where an “intern” accidentally pushed some code with hard-coded credentials to a repository. This led to cryptographic failure. Imagine a developer having access to a database pushing a code with their credentials on a public server. What a malicious actor could do with that is scary! This is a lack of secure password/credentials management.
It is recommended that all the encryption keys should be created cryptographically. They should be stored in the form of byte arrays. Plain text passwords should always be converted into cipher text or encrypt them using these keys. It should only be done using a strong encryption method or algorithm. Using lengthy salts for sensitive data additionally increases security.
Secure coding is a set of guidelines that developers follow to integrate security within the application’s code. These practices ensure the use of strong cryptography practices in various parts of the application rather than only on the perimeter of the application’s components. Therefore reducing the chances of cryptographic failures.
Cryptography is one such aspect of security that’s difficult to get perfectly right. That’s why to ensure that you haven’t missed out on anything, you need to conduct regular penetration testing. Penetration testing lets you understand an attacker’s perspective of your application. Therefore, thinking like an attacker helps in identifying any cryptographic and other weaknesses and helps prioritize fixes.
Long story short, It is quite clear why the OWASP Top 10 has cryptographic failures on their list. This is something that shouldn't be taken lightly as companies big scale and small have been a victim of cryptographic failures.
The scope of strengthening cryptography in your application is rather large because it’s not just a single loophole or a bug to fix. It is a collection of weaknesses or poor cryptographic practices that need to be addressed. One thing is clear from all the things we’ve covered so far - It is crucial to assess the strength of your cryptography implementations in your application and work towards improving it. Understanding the introduction to cryptographic failures is crucial to assessing the strength of your cryptography implementations.
Software Secured offers high-quality manual penetration testing combined with our proprietary testing stack to provide a more comprehensive test. Streamline multiple security projects in one place through Portal, the online reporting dashboard that allows you to manage tests, track SLAs, download reports, and view your security posture over time.
Software Secured offers baseline penetration testing for one-time proof of your application security or year-round security coverage through Penetration Testing as a Service (PTaaS). Software Secured also offers a variety of augmented services such as security code review, internal network pentesting, secure cloud review and threat modelling.
If you are interested in learning more or booking a threat modelling service, please book a call with us.
Security
Can be easily manipulated without detection if not properly secured.
Digitally signed and can be validated on the server. Manipulation can be detected.
Size
Limited to 4KB.
Can contain much more data, up to 8KB.
Dependency
Often used for session data on the server-side. The server needs to store the session map.
Contains all the necessary information in the token. Doesn’t need to store data on the server.
Storage Location
Browser cookie jar.
Local storage or client-side cookie.
The advantages and disadvantages of testing on staging compared to production. Which one provides more value.
Providing the quality of the biggest names in security without the price tag and complications.
Manual penetration testing
Full time Canadian hackers
Remediation support