Category: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Incomplete
Summary
Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-261 | Weak Encoding for Password | Using simple encoding like Base64 to hide a password provides no real security, as it can be easily reversed. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | This vulnerability occurs when software fails to properly validate the entire certificate chain back to a trusted root authority. This mistake can cause the system to incorrectly trust a certificate and the resource it represents, creating a security gap. |
| CWE-319 | Cleartext Transmission of Sensitive Information | This vulnerability occurs when an application sends sensitive data, such as passwords or personal information, over a network connection without using encryption. Attackers can easily intercept and read this unprotected data as it travels. |
| CWE-321 | Use of Hard-coded Cryptographic Key | This vulnerability occurs when an application embeds a fixed, unchangeable cryptographic key directly within its source code or configuration files. |
| CWE-322 | Key Exchange without Entity Authentication | This vulnerability occurs when a system establishes a cryptographic key with another party without first confirming that party's true identity. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | This vulnerability occurs when a cryptographic nonce or key pair is reused, compromising the security of the encrypted data. |
| CWE-324 | Use of a Key Past its Expiration Date | This vulnerability occurs when an application continues to use a cryptographic key or password after its designated expiration date. Doing so dramatically increases the security risk by giving attackers more time to discover or crack the key. |
| CWE-325 | Missing Cryptographic Step | This vulnerability occurs when a software implementation skips a critical step in a cryptographic process, resulting in security that is significantly weaker than the intended algorithm provides. |
| CWE-326 | Inadequate Encryption Strength | This vulnerability occurs when an application protects sensitive information with encryption, but the specific algorithm or key strength used is too weak to withstand modern attack methods. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The software relies on a cryptographic algorithm or protocol that is either fundamentally flawed or considered too weak by modern security standards. |
| CWE-328 | Use of Weak Hash | This vulnerability occurs when software uses a hashing algorithm that is cryptographically weak, allowing attackers to feasibly reverse the hash to find the original input, find a different input that creates the same hash, or discover collisions where two inputs produce identical hash values. |
| CWE-329 | Generation of Predictable IV with CBC Mode | This vulnerability occurs when software uses a predictable or reused Initialization Vector (IV) with Cipher Block Chaining (CBC) mode encryption. Predictable IVs undermine the security of CBC, making encrypted data vulnerable to dictionary and chosen-plaintext attacks, especially when the same key is used multiple times. |
| CWE-330 | Use of Insufficiently Random Values | This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations, making them easier for attackers to guess or calculate. |
| CWE-331 | Insufficient Entropy | This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or predictable outputs that are easier for attackers to guess. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or predictably, compromising the randomness of its output. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is repeatedly initialized with the same starting seed value. |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses an easily guessable starting value, like the current system time or a process ID, to begin its sequence. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for security-sensitive operations, such as generating keys, tokens, or initialization vectors. |
| CWE-340 | Generation of Predictable Numbers or Identifiers | This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that rely on unpredictability. |
| CWE-347 | Improper Verification of Cryptographic Signature | This vulnerability occurs when an application fails to properly check the digital signature on data, or skips the verification step entirely, allowing tampered or forged information to be accepted as legitimate. |
| CWE-523 | Unprotected Transport of Credentials | This vulnerability occurs when a login page or authentication system transmits user credentials (like usernames and passwords) over a network without proper encryption, exposing them to interception. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | This vulnerability occurs when a protocol or system allows negotiating a security algorithm (like encryption) but chooses a weaker option than the strongest one both parties support, creating an unnecessary security gap. |
| CWE-759 | Use of a One-Way Hash without a Salt | This vulnerability occurs when a system uses a one-way hash function (like MD5 or SHA-256) to protect sensitive data like passwords, but fails to add a unique random value called a salt before hashing. |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | This vulnerability occurs when an application uses a one-way hash (like for password storage) but combines it with a predictable or easily guessed salt. This undermines the security benefit of salting, making pre-computed attack methods like rainbow tables highly effective. |
| CWE-780 | Use of RSA Algorithm without OAEP | This vulnerability occurs when an application implements RSA encryption but fails to use Optimal Asymmetric Encryption Padding (OAEP), significantly weakening the cryptographic protection. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | This vulnerability occurs when a system protects passwords by hashing them, but uses a hashing algorithm that is too fast or computationally cheap. This makes it easy for attackers to crack the stored password hashes using brute-force methods. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-310 | Cryptographic Issues | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| CWE-720 | OWASP Top Ten 2007 Category A9 - Insecure Communications | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| CWE-818 | OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.