Cryptographic Failures (A04) remain one of the most critical security weaknesses highlighted in the OWASP Top 10 (2025). This category focuses on the improper implementation, weak usage, or complete absence of encryption mechanisms that protect sensitive data in modern applications.
When cryptography is misconfigured or outdated, attackers can easily intercept, decode, or manipulate sensitive information such as passwords, personal data, financial records, and healthcare information. These weaknesses often lead to severe data breaches and compliance violations.
What Are Cryptographic Failures?
Cryptographic failures occur when an application does not properly protect data using encryption techniques or uses weak cryptographic algorithms. These failures typically happen in two main areas:
- Data in transit (data moving across networks)
- Data at rest (data stored in databases, files, or backups)
A secure application should ensure encryption at both layers to prevent unauthorized access.
Key Areas Where Cryptographic Failures Occur
1. Weak or Missing Encryption in Transit
All sensitive data should be encrypted while traveling across networks using secure protocols like TLS 1.2 or higher.
Common issues include:
- Using HTTP instead of HTTPS
- Allowing protocol downgrade attacks
- Not enforcing secure communication across all pages
Example Attack Scenario: If a website partially uses HTTPS but still allows HTTP access, an attacker can downgrade the connection from HTTPS to HTTP. This allows interception of session cookies, leading to account hijacking.
2. Weak Encryption at Rest
Sensitive data stored in databases or files must be properly encrypted. Storing passwords or sensitive fields in plain text or using weak hashing methods is extremely dangerous.
Example Attack Scenario: If a database stores passwords using simple hashing like MD5, attackers can easily use precomputed hash tables (rainbow tables) to recover original passwords.
3. Use of Weak Cryptographic Algorithms
Applications must avoid outdated or weak algorithms that are vulnerable to modern attacks.
Common weak algorithms include: MD5,SHA-1 etc.
These should be replaced with modern standards such as SHA-256 or stronger encryption mechanisms.
4. Improper Certificate Validation
Applications must correctly validate SSL/TLS certificates to ensure secure communication channels.
Issues include:
- Missing certificate chain validation
- Accepting self-signed certificates in production
- Ignoring expired certificates
5. Insufficient Randomness and Entropy
Cryptographic systems depend heavily on randomness. Weak random number generation can lead to predictable encryption keys or tokens.
6. Padding Oracle Attacks
7. Hardcoded or Weak Keys
Common CWE Mappings for Cryptographic Failures
Cryptographic Failures in the OWASP ecosystem are often associated with the following CWEs:
- CWE-261: Weak Encoding for Password
- CWE-296: Improper Certificate Chain Validation
- CWE-319: Cleartext Transmission of Sensitive Data
- CWE-321: Hard-coded Cryptographic Key
- CWE-325: Missing Required Cryptographic Step
- CWE-326: Inadequate Encryption Strength
- CWE-331: Insufficient Entropy
- CWE-338: Weak Pseudo-Random Number Generator
For more details, refer to the official OWASP Top 10 documentation: OWASP Top 10 Official Site.
Real-World Examples of Cryptographic Failures
Example 1: Missing HTTPS Enforcement
A website only partially enforces HTTPS. Attackers exploit this by redirecting users to HTTP versions of the site and intercepting session cookies.
Impact:
- Session hijacking
- Credential theft
- Account takeover
Example 2: Weak Password Storage
A system stores passwords using unsalted MD5 hashes.
Impact:
- Fast password cracking using rainbow tables
- Massive credential leaks during breaches
Prevention and Best Practices
To mitigate cryptographic failures, developers and security teams should follow strong cryptographic standards:
1. Classify Sensitive Data
Identify what data needs encryption:
- Passwords
- Personal identifiable information (PII)
- Medical records
- Financial data
2. Use Strong Cryptographic Algorithms
- Use AES-256 for encryption
- Use SHA-256 or stronger hashing algorithms
- Avoid deprecated algorithms like MD5 and SHA-1
3. Enforce Encryption in Transit
- Use TLS 1.2 or TLS 1.3
- Disable weak protocols (SSL, TLS 1.0, TLS 1.1)
- Ensure all endpoints use HTTPS
4. Enable HSTS Header
Force browsers to always use secure connections using HTTP Strict Transport Security header.
5. Secure Password Storage
- Use salted hashing (bcrypt, Argon2, PBKDF2)
- Never store plaintext passwords
- Never reuse cryptographic salts
6. Use Secure Random Number Generators
Ensure cryptographic operations use secure entropy sources for:
- Tokens
- Session IDs
- Encryption keys
7. Avoid Deprecated Cryptography
Eliminate: MD5, SHA-1
Replace with modern secure standards.
8. Disable Caching of Sensitive Data
Prevent browsers and proxies from storing sensitive responses using cache-control headers.
Cryptographic Failures are among the most dangerous vulnerabilities in modern applications because they directly expose sensitive data. The OWASP Top 10 (2025) emphasizes the importance of strong encryption, secure key management, and proper implementation of cryptographic standards.
By following best practices such as enforcing TLS, using strong hashing algorithms, enabling HSTS, and avoiding deprecated cryptography, organizations can significantly reduce the risk of data breaches and maintain trust in their systems.
