Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added Use of Expired Cryptographic Key #492

Merged
merged 2 commits into from
Oct 25, 2023
Merged

Added Use of Expired Cryptographic Key #492

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2e5e3ad
Added Use of Expired Cryptographic Key
RRudder Aug 15, 2023
df05053
standardised PoC description
RRudder Oct 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions ...ion/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/guidance.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Guidance

Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the expired cryptographic key or certificate, how you identified it, and what actions you were able to perform as a result.

Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
7 changes: 7 additions & 0 deletions ...ptographic_weakness/use_of_expired_cryptographic_key_or_cert/recommendations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Recommendation(s)

Implement strong cryptography and keep up to date algorithms, protocols, and keys in place. It is best practice for the application to verify that the certificate produced by an entity is not expired or revoked, and that it rejects attempts to use expired keys or certificates.

For more information, refer to the following resource:

- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>
22 changes: 22 additions & 0 deletions ...ion/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Use of Expired Cryptographic Key (or Certificate)

## Overview of the Vulnerability

Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application uses an expired cryptographic key or certificate which can allow an attacker to break the confidentiality of requests sent to and from the endpoint.

## Business Impact

This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.

## Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
1. Setup {{software}} to intercept and log requests
1. Use a browser to navigate to: {{URL}}
1. {{action}} to view unencrypted requests

## Proof of Concept (PoC)

The screenshot below demonstrates the expired cryptographic key or certificate:

{{screenshot}}