What Are Cryptographic Failures? A Simple Overview
Breaking Down OWASP Top 10 - A2: A Guide to Cryptographic Failures
Where Can We Find It?
Cryptographic failures happen when sensitive data isn’t properly encrypted or protected, making it vulnerable to theft or manipulation. These issues can be found in:
Web Applications (storing passwords, credit card details without encryption)
APIs (transmitting sensitive data over HTTP instead of HTTPS)
Databases (weak or no encryption for stored user data)
Mobile Apps (insecure storage of tokens, credentials)
How It Works?
Cryptographic failures occur when an application:
✅ Uses weak encryption algorithms (e.g., MD5, SHA1)
✅ Stores passwords in plain text (instead of hashing them)
✅ Exposes sensitive data in URLs, logs, or error messages
✅ Uses expired or self-signed SSL/TLS certificates
✅ Transmits data over HTTP instead of HTTPS
Common Types of Cryptographic Failures & Examples
1️⃣ Storing Passwords in Plain Text
Some apps store user passwords directly in databases without hashing.
If a hacker gets access, they can see and use all passwords.
Fix: Use strong hashing (e.g., bcrypt, Argon2, PBKDF2).
2️⃣ Using Weak Hashing Algorithms
MD5 & SHA1 are outdated and vulnerable to brute-force attacks.
Fix: Use bcrypt or Argon2 with a salt for better security.
3️⃣ Data Transmission Over HTTP
If an app uses HTTP instead of HTTPS, attackers can intercept data.
Example: A banking site that transmits login details over HTTP can be hacked via a Man-in-the-Middle (MITM) attack.
Fix: Always use HTTPS with TLS 1.2+.
4️⃣ Hardcoded Secrets in Code
Developers sometimes store API keys, database passwords in source code.
Attackers can find them if the code is leaked.
Fix: Store secrets in environment variables or secret management tools.
5️⃣ Exposing Sensitive Data in URLs
If an app sends sensitive info in URLs, it can be logged by servers or leaked.
Example:
https://example.com/reset?token=123456If logged somewhere, an attacker can use this token to reset the password.
Fix: Use POST requests and short-lived tokens instead.
How to Mitigate Cryptographic Failures?
🔒 1. Encrypt Sensitive Data
Use AES-256 for encryption.
Hash passwords with bcrypt, Argon2, or PBKDF2.
🔒 2. Enforce HTTPS Everywhere
Use TLS 1.2 or higher.
Redirect HTTP requests to HTTPS automatically.
🔒 3. Store Secrets Securely
Use environment variables, not hardcoded keys.
Store encryption keys securely (e.g., AWS KMS, HashiCorp Vault).
🔒 4. Implement Secure Password Storage
Always hash passwords with a strong algorithm before storing them.
Add salting to prevent rainbow table attacks.
🔒 5. Secure Data Transmission
Never pass sensitive data in URLs.
Use secure cookies with HttpOnly & Secure flags.
Real-World Case Study: Adobe Data Breach (2013)
What Happened?
Adobe stored 153 million user passwords with weak encryption (ECB mode).
Hackers breached the database, and due to the weak encryption, they could easily recover user passwords.
Result: Millions of accounts were compromised.
How They Fixed It?
✅ Moved to stronger encryption (AES-256)
✅ Used bcrypt for password hashing
✅ Enforced two-factor authentication (2FA)
Lesson: Weak encryption is as bad as no encryption! Always use industry-standard encryption to protect sensitive data. 🚀