README.md

A02 - Cryptographic Failures

Introduction and background

In previously OWASP lists, this vulnerability was named Sensitive Data Exposure. OWASP changed the name due to this is more a broad symptom rather than a root cause. The focus should be on failures related to cryptography (or lack thereof), which again could lead to exposure of sensitive data.

CWEs

Notable Common Weakness Enumerations (CWEs):

• CWE-259: Use of Hard-coded Password
• CWE-327: Broken or Risky Crypto Algorithm
• CWE-331: Insufficient Entropy

CVEs

Examples of CVEs :

• 259
• 327
• 331

Examples of attacker scenarios using juice shop

• Weird Crypto - Inform the shop about an algorithm or library it should definitely not use the way it does.
  • Hint: What is known weak cryptographic algorithms?
  • Create a new juice-shop user and change password for your new user with an easy one e.g 'admin123' and observe response from /change-password (In the Firefox tool)
  • For feedback use http://<yourhost>/#/contact
• Forged Coupon - Manipulate shopping coupon by discovering crypto algorithm.

Primary defenses

• OWASP's transport layer protection cheat sheet
• OWASP's user privacy protection cheat sheet
• OWASP's password and cryptographic storage cheat sheet