OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the A02 category "Cryptographic Failures" in the OWASP Top Ten 2021.
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary ...
The product uses a scheme that generates numbers or identifiers that are more predictable than required.
The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any reso...
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
The software performs a key exchange with an actor without verifying the identity of that actor.
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time.
Nonces should be used for the present occasion and only once.
A Pseudo-Random Number Generator (PRNG) uses the same seed each time the product is initialized.
A protocol or its implementation supports interaction between multiple actors and allows those actors to negotiate which algorithm should be used as a protection mecha...
Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attac...
The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software uses a predictable salt as part of ...
The software uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the software does not also use a salt as part of...
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking a...
The software uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably...
Obscuring a password with a trivial encoding does not protect the password.
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniqu...
Deprecated or Obsolete
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2007.
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2010.
CWE entries in this view (graph) are associated with the OWASP Top Ten, as released in 2021.