Category: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Incomplete
Summary
Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-261 | Weak Encoding for Password | Obscuring a password with a trivial encoding does not protect the password. |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any resource that is associated with that certificate. |
| CWE-319 | Cleartext Transmission of Sensitive Information | The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. |
| CWE-321 | Use of Hard-coded Cryptographic Key | The product uses a hard-coded, unchangeable cryptographic key. |
| CWE-322 | Key Exchange without Entity Authentication | The product performs a key exchange with an actor without verifying the identity of that actor. |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Nonces should be used for the present occasion and only once. |
| CWE-324 | Use of a Key Past its Expiration Date | The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key. |
| CWE-325 | Missing Cryptographic Step | The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. |
| CWE-326 | Inadequate Encryption Strength | The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | The product uses a broken or risky cryptographic algorithm or protocol. |
| CWE-328 | Use of Weak Hash | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
| CWE-329 | Generation of Predictable IV with CBC Mode | The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key. |
| CWE-330 | Use of Insufficiently Random Values | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
| CWE-331 | Insufficient Entropy | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized. |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
| CWE-340 | Generation of Predictable Numbers or Identifiers | The product uses a scheme that generates numbers or identifiers that are more predictable than required. |
| CWE-347 | Improper Verification of Cryptographic Signature | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-523 | Unprotected Transport of Credentials | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mechanism such as encryption or authentication, but it does not select the strongest algorithm that is available to both parties. |
| CWE-759 | Use of a One-Way Hash without a Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt as part of the input. |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | The product uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product uses a predictable salt as part of the input. |
| CWE-780 | Use of RSA Algorithm without OAEP | The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption. |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
| CWE-1344 | Weaknesses in OWASP Top Ten (2021) | CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021. |
| CWE-310 | Cryptographic Issues | Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed. |
| CWE-720 | OWASP Top Ten 2007 Category A9 - Insecure Communications | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007. |
| CWE-818 | OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection | Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.