-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #495 from bugcrowd/VRT-update-Aug23-12
Adding Use of Broken Cryptographic Primitive
- Loading branch information
Showing
3 changed files
with
35 additions
and
0 deletions.
There are no files selected for viewing
5 changes: 5 additions & 0 deletions
5
...iption/cryptographic_weakness/use_of_broken_cryptographic_primitive/guidance.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| # Guidance | ||
|
|
||
| Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the broken cryptographic primitive, how you identified it, and what actions you were able to perform as a result. | ||
|
|
||
| Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC). |
8 changes: 8 additions & 0 deletions
8
...cryptographic_weakness/use_of_broken_cryptographic_primitive/recommendations.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| # Recommendation(s) | ||
|
|
||
| Implement strong cryptography and keep up to date algorithms, protocols, and keys in place. Use only trustworthy cryptographic algorithms outlined within security standards and regulations. | ||
|
|
||
| For more information, refer to the following resources: | ||
|
|
||
| - <https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html> | ||
| - <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/> |
22 changes: 22 additions & 0 deletions
22
...iption/cryptographic_weakness/use_of_broken_cryptographic_primitive/template.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Use of Broken Cryptographic Primitive | ||
|
|
||
| ## Overview of the Vulnerability | ||
|
|
||
| Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a broken cryptographic primitive which can allow an attacker to decrypt sensitive information. | ||
|
|
||
| ## Business Impact | ||
|
|
||
| This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. | ||
|
|
||
| ## Steps to Reproduce | ||
|
|
||
| 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP | ||
| 1. Setup {{software}} to intercept and log requests | ||
| 1. Use a browser to navigate to: {{URL}} | ||
| 1. {{action}} to view unencrypted requests | ||
|
|
||
| ## Proof of Concept (PoC) | ||
|
|
||
| The following screenshot(s) demonstrate(s) this vulnerability: | ||
|
|
||
| {{screenshot}} |