Addition of Insecure Implementation subcategory and variants

bugcrowd · Aug 15, 2023 · 8915b38 · 8915b38
1 parent e6286ff
commit 8915b38
Show file tree

Hide file tree

Showing 9 changed files with 102 additions and 0 deletions.
diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/guidance.md b/submissions/description/cryptographic_weakness/insecure_implementation/guidance.md
@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.  Please include specific details on where you identified the insecure implementation of cryptography, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
diff --git a/...eakness/insecure_implementation/improper_following_of_specification/guidance.md b/...eakness/insecure_implementation/improper_following_of_specification/guidance.md
@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.  Please include specific details on where you identified the improper following of specification, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
diff --git a/.../insecure_implementation/improper_following_of_specification/recommendations.md b/.../insecure_implementation/improper_following_of_specification/recommendations.md
@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. Use only well vetted cryptographic libraries.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>
diff --git a/...eakness/insecure_implementation/improper_following_of_specification/template.md b/...eakness/insecure_implementation/improper_following_of_specification/template.md
@@ -0,0 +1,22 @@
+# Improper Following of Specification (Other)
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the implementation of cryptography improperly follows specifications, which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the improper following of specification:
+
+{{screenshot}}
diff --git a/...graphic_weakness/insecure_implementation/missing_cryptographic_step/guidance.md b/...graphic_weakness/insecure_implementation/missing_cryptographic_step/guidance.md
@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards.  Please include specific details on where you identified the insecure implementation of cryptography, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
diff --git a/..._weakness/insecure_implementation/missing_cryptographic_step/recommendations.md b/..._weakness/insecure_implementation/missing_cryptographic_step/recommendations.md
@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. Use only well vetted cryptographic libraries.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>
diff --git a/...graphic_weakness/insecure_implementation/missing_cryptographic_step/template.md b/...graphic_weakness/insecure_implementation/missing_cryptographic_step/template.md
@@ -0,0 +1,22 @@
+# Missing Cryptographic Step
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Missing computational steps during the implementation of cryptography was identified which degrades security. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the missing cryptographic step:
+
+{{screenshot}}
diff --git a/...s/description/cryptographic_weakness/insecure_implementation/recommendations.md b/...s/description/cryptographic_weakness/insecure_implementation/recommendations.md
@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>
diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/template.md
@@ -0,0 +1,22 @@
+# Insecure Implementation
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Insecure implementation of cryptography was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the insecure implementation:
+
+{{screenshot}}