OWASP Top 10 - A02 Cryptographic Failures

What are Cryptographic Failures?

Cryptographic Failures, previously known as Sensitive Data Exposure, is the second most critical web application security risk. It occurs when applications fail to properly protect data in transit and at rest through weak cryptographic implementations.

🎯 Common Failure Scenarios

Weak Hashing Algorithms: Using MD5, SHA1, or other deprecated algorithms
Poor Key Management: Hardcoded keys, weak key generation, inadequate key rotation
Inadequate Encryption: Custom crypto implementations, weak ciphers
Data Transmission: Missing HTTPS, weak TLS configurations
Password Storage: Plaintext or weakly hashed passwords

⚠️ Real-World Impact

Complete compromise of user credentials and personal data
Financial fraud and identity theft
Regulatory violations (GDPR, HIPAA, PCI-DSS)
Reputation damage and loss of customer trust

🛡️ Prevention Strategies

Use Strong Algorithms: AES-256, RSA-2048+, SHA-256+, bcrypt/scrypt
Proper Key Management: Secure generation, storage, and rotation
Perfect Forward Secrecy: Ephemeral key exchange
Authenticated Encryption: AES-GCM, avoid ECB mode

# Vulnerable Hash Storage
password = "user123"
hash = md5(password)  # WEAK!

# Secure Hash Storage  
password = "user123"
salt = generate_random_salt()
hash = bcrypt(password + salt, cost=12)  # STRONG!

# Vulnerable Encryption
key = "1234567890123456"  # Hardcoded!
cipher = AES.new(key, AES.MODE_ECB)  # Weak mode!

# Secure Encryption
key = os.urandom(32)  # Random 256-bit key
iv = os.urandom(16)   # Random IV
cipher = AES.new(key, AES.MODE_GCM, iv)  # Strong!
                

🔐 Lab 1: MD5 Hash Cracking Challenge

Scenario: You've discovered a password database using MD5 hashes. Your goal is to crack these hashes and gain unauthorized access.

Attempts: 0 | Cracked: 0/3

🎯 Password Database

Captured MD5 Hashes:

admin : 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
user1 : 098f6bcd4621d373cade4e832627b4f6
user2 : 5d41402abc4b2a76b9719d911017c592
guest : 21232f297a57a5a743894a0e4a801fc3

💡 Hint: Try common passwords, dictionary words, or online MD5 databases

🔓 Hash Cracking Tool

Enter Password Guess:

Generated MD5 Hash:

Challenge: Crack the MD5 hashes to reveal the original passwords.

Learning Goal: Understand why MD5 is cryptographically broken and unsuitable for password storage.

🚨 Why MD5 is Dangerous

Fast Computation: Modern hardware can compute billions of MD5 hashes per second
Rainbow Tables: Pre-computed hash databases make cracking instant
No Salt: Same passwords produce identical hashes
Collision Attacks: Different inputs can produce the same hash

🔓 Lab 2: Caesar Cipher Breaking Challenge

Scenario: A company is using a "custom encryption" algorithm (Caesar cipher) to protect sensitive data. Break the encryption to access confidential information.

Decryption Attempts: 0 | Files Decrypted: 0/3

📁 Encrypted Files

Select File to Decrypt:

Encrypted Content:

WPSBEEFQ PBZQBM XBZ FKIXKAIBG JXKXVFP: QEFF GFOG FP OQTYM FMZIXQAFG!

🔧 Decryption Tool

Caesar Cipher Shift (0-25): 0

Decrypted Text:

Challenge: Find the correct shift value to decrypt the sensitive files.

Hint: Look for readable English text patterns. Common words like "THE", "AND", "PASSWORD" should appear.

🚨 Why Custom Crypto Fails

Security by Obscurity: Hiding the algorithm doesn't make it secure
Weak Key Space: Caesar cipher has only 25 possible keys
Pattern Preservation: Letter frequency analysis reveals the shift
No Authentication: No way to verify data integrity

Real-world Impact: Any "custom" encryption without peer review is likely breakable.

OWASP Top 10 Security Lab

Cryptographic Failures