Introduction articlecovered details of OWASP & Injection attacks and 2 more articles in sequence covered broken access and authentication failures (check reference links for more details). This 4th article is in continuation of the series and will cover A02:2021 – Cryptographic Failures.
Introduction to A02:2021 – Cryptographic Failures:
In 2017 this attack is known as Sensitive Data Exposure, which focuses on failures related to cryptography which often lead to exposure of sensitive data.
For this demo we are using OWASP Juice Shop as a vulnerable application which is exposing some files in ftp server location as below.
This website has file type limitations kept in place to restrict users from downloading only .md/,pdf files. For example, let’s say we have a file with the name eastere.gg file which has some sensitive details and when we try to download directly, we get 403 error as below:
Step by step testing process:
Please follow the suggested steps here to configure HTTP load balancer and WAF in cloud console. Make sure WAF is configured in Monitoring mode only to analyze the attack.
Hackers can find a way to bypass this file cryptographic restriction. For example, as shown below we can intercept the outgoing request using burp suite and just by adding null byte to the filename we are able to download the file (%2500.md is a null byte which is equal to empty space in cryptography).
Below are some of the best practices suggested to prevent this attack:
Identify which data is sensitive according to regulatory requirements, or business needs.
Don't store sensitive data unnecessarily.
Make sure to encrypt all sensitive data at rest.
Disable caching for responses that contain sensitive data.
Apply required security controls as per the data classification.
Do not use legacy protocols such as FTP and SMTP for transporting sensitive data.
Store passwords using strong hashing algorithms.
Always use authenticated encryption instead of just encryption.
Avoid deprecated cryptographic functions and schemes, such as MD5, SHA1, etc.
Mitigation using F5 Distributed Cloud Services:
To mitigate these attacks, navigate to Firewall section and in “App Firewall” configuration make sure “Enforcement Mode” is set to “Blocking” as below:
Next in browser try to generate above scenarios and validate your request is blocked as below.
In Distributed Cloud Console expand the security event and check the WAF section to understand the reason why request was blocked.
As shown above, these types of cryptographic failures can be mitigated by configuring WAF on load balancer thereby preventing sensitive data exposure.