Facebook Hacking | Hacking Tools | Facebook Hacking Tool | Twitter Hacking | Crash Website | Hack Gmail Account
Home / penetration testing / Insecure Cryptographic Storage Vulnerability on Web Applications

Insecure Cryptographic Storage Vulnerability on Web Applications

Posted by Deepanker Verma Friday, October 5, 2012 0 comments

Now days, every organization use digital data storage and use web application to manage and update the data. As the increasing use of internet it is important to digitize everything to make easier to manage and access. To protect sensitive data, web application uses various cryptographic algorithms. This is the key part of web application because security and privacy is the main thing which an organization wants from an application.

 But sometimes, these applications fail to protect sensitive data while storing. This may be due to store sensitive data in plain text or poor use of cryptographic algorithms.
These flaws can lead to information disclosure of sensitive data and information which may harm organization. If this vulnerability exists in e-commerce website, it may harm users of the website more than the company running the website.
Most common problems why web applications fail to protect data
  • ·     Storing sensitive and secret data (such as passwords, credit card details) in plain text form.
  • ·     Use of Home Grown algorithms to encrypt the data. Home Grown algorithms are those which are generated by developers to encrypt the passwords and other important data. This may contain many security holes.
  • ·     Using older and weak cryptographic algorithms which are easy to crack. MD5 and SHA1 are the example of those weak algorithms.
  • ·      Insecure use of strong and secure cryptographic algorithms.
  • ·      Storage of confidential information in memory is incorrect. This can lead to information disclosure.
  • ·      Lack of support for maintenance procedures and encryption key changes.

Why web application needs to use strong cryptographic algorithms to store data?
Here, the main question arises whether the storing data in cryptographic secure manner is really important? Why we need to protect data in such a secure manner. Big organizations which deals with many secure data and information daily, know the answer. But for web masters I want to give a small example to make it clear why data security is really important.
Suppose there is an online shopping store, which is not using any type of cryptographic security to secure data before storing it into the website database. It means everything is going in database as a plain text format. As it is an online store, it will have the records of all the listed products and registered customer’s information as well. There will be password, personal contact, address and credit card information of all the customers who have an account in this online shopping website. Everything is running fine on the internet and customers can purchase anything without any problem. But, think if a hacker hacks the database of the website by any of the known or unknown method. Now he has all the information stored on the website database including records of all registered customers. This situation is harmful for both customers and the website. Hackers can use the credit card info of any of the customer for some other online purchase and they can also sell the personal data of customers to some online marketing firms. A good online shopping website generally has more than 1,00,000 customers. It means the hacker has more than 1,00,000 credit cards info. Now, He does not need to do any other work.
I think now it’s clear why data protection at the application level is important. If the website uses some highly secure cryptographic algorithms to store data, hacker will not be able to decrypt the original data even if he has the whole database of the website. In this way, he will not be able to harm customers anyway. If the website use some easy to crack algorithms such as MD5 to encrypt the data before storage, hacker will be able to decrypt the data easily. Se developer must know which data to be protect and how to protect.
Why web applications fail to protect sensitive data?
All the programming languages has inbuilt support of cryptography which allow developers to add cryptographic security in the application easily. Although programming languages give inbuilt support to cryptography, programmers still fail to protect data on web applications. There are many reasons for this vulnerability to be exists on the web applications. These are some reasons:
  • Developers do not know what data must be protected with the use of encryption. This is the most important reason why this vulnerability exists? Most of the web developers only care about the functionality of the web application.
  • Developers stored the data as plain text assuming that no one has access to the website database. But attacker got the SQL injection vulnerability in a website code and extracts the whole database information. As the information was stored as plain text, attacker has more than he wanted.
  • Developers do not know the proper use of some highly secure encryption algorithms. Generally they use some old and less secure algorithms such as MD5, SHA-1, RC3, RC4, etc. There are many freely available tools can easily crack these algorithms and decrypt the data in few seconds.
  • Developers use strong cryptographic algorithms in wrong manner. In this case attacker can analyze and break the algorithm’s security by finding security holes in the usage of the algorithms.

 Everything is implemented fine but key exchange or key storage is done in wrong manner which allow attacker to get the access to key. After the disclosure of key, it is not more than a child’s play for the attacker o break the security.
How to verify data security?
In web application, developers must properly verify application that it encrypts sensitive information in storage. There are many vulnerability scanners available which scans for various types of vulnerabilities. But these scanners cannot identity cryptographic vulnerability. There are some code scanning vulnerabilities tools available which can detect the algorithm which is used to encrypt the data in the web application. But it cannot detect whether the algorithm is used properly or not. These tools cannot detect the data on which the encryption is being performed. Thus we can say that there is no automatic tool is available which can detect the insecure cryptographic storage vulnerability. So we can only detect this vulnerability only by manual methods. The best way to verify this vulnerability is Code Review. This is the best way to verify that a web application encrypts all sensitive data used in the web application and has properly implemented the mechanism and key management to encrypt the secure data. Code Review involves the process of verifying the cryptographic algorithm and its usage.
In this process, each part of the code is analyzed for insecure data storage. All the data is analyzed and marked those data which are sensitive and needs cryptographic storage. Then it checked whether the proper encryption is applied on the data within the web application. It also checked whether the encryption is easy to crack or not. If any vulnerability is found, then proper mechanism is applied to patch the vulnerability.
There are few things which must consider:
  • ·         Ensure that web application is using cryptographic algorithms properly.
  • ·         Ensure that password is stored in the hashed and salted.
  • ·         Ensure that the cryptographic protection remains secure even if access controls fail.
  • ·         Ensure that core credentials such as database credentials are securely stored.
  • ·         Ensure all keys (Cryptographic Algorithms keys) and passwords are hardly protected from unauthorized access
  • ·         Ensure offsite backups are encrypted. And keys used in the backup encryption are managed and backed up separately in order to provide better security.

How to prevent Insecure Cryptographic Storage?
The most important thing while using a web application is to ensure that everything which must be encrypted is actually encrypted properly. For this you must check that hat the cryptography is implemented properly on the different modules of web application. These are some ways which you can use to test and vulnerability and then patch it to protect secure data in your web application.
First of all make the website’s database as secure as possible. Check each URL for the SQL injection vulnerability. Database of the website must be secure. This is the security hole which leads to the data exposure.
If the data is sensitive, you must store it with proper use of encryption. Developers must identify the sensitive data before the development and then apply proper encryption. These are some examples of data which must be protected
  • ·         Credit Cards numbers
  • ·         Usernames
  • ·         Passwords
  • ·         User’s personal Data such as Email, phone number.

Always store hashed and salted value of the password in the database. These are hard to crack and cryptographically secure.
If website is storing any important sensitive data on the database for long period of time, it must be stored in encrypted form.
Never create new Cryptographic algorithms to use in your web application. There may be many security holes in your algorithms. So use only trusted and approved public cryptographic algorithms such as AES, RSA public key cryptography and SHA-256 or better data security. Leave this work on cryptography experts and researchers.
Avoid use of RC3, RC4, MD5 and SHA1. There are many online tools are available for free which can crack these within few seconds. Always use highly secure alternatives cryptographic algorithms, such as SHA-256 or better.
Keys are the main part of any Cryptographic algorithm. The data is secure till the key is protected. So generate Cryptographic keys offline. If you are using asymmetric key encryption in your application make sure to store private keys with extreme security and care. If there is any need of key transmission, never use any insecure channel. It may expose the key. So use HTTPS protocol in such type of secure data transmission. This must be take care.
If your web application contains modules for online payment, be sure to follow Payment Card Industry (PCI) Data Security Standard. Always protect Card Holder data and encrypt it all transmissions across all the networks either it’s public or private. In case of public network, it needs some extra care.
Never store unnecessary data on your database that may be sensitive. According to PCI standards, Websites cannot store the CVV number (the three digit number on the rear of the card) in the database under any circumstances. There are strict actions in case of failing. And there is no need to store. User will enter the CVV number each time he wants to purchase something with credit card.
Ensure that the encrypted data stored in your application is not easy to decrypt. Be sure that the algorithms used to encrypt and protect the data are hard to crack. If the algorithm used to encrypt the data is weak, then change the algorithm. This must be checked before using any encryption algorithm

Conclusion: Insecure Cryptographic Storage is a dangerous web application vulnerability which is harmful for both, website owner and website users. Most of the popular websites are vulnerable to this. Many websites developers still store passwords as a plain text in the database. Some are developers are better and use MD5 as a cryptographic algorithm to store passwords. But all these are really dangerous. There are many hacking tools available which can easily expose database of the website. In case of database exposure, attacker can easily misuse passwords stored in the plain texts.
So webmasters must have a proper guideline for the developers. They must identify the data which should be store in cryptographically secure way in the database. If the website is using password protected areas and user login. Then passwords must be encrypted hashed and slated before storing into the website database. This is the best security practice. If the website has a module for online payment, it must follow Payment Card Industry (PCI) Data Security Standards. I recommend seeing the PCI DSS Guidelines and implementing controls as necessary. After the development of the web application, it needs proper testing to check whether the website is using proper cryptographic algorithms or not. Everything must be checked properly. As a single security hole can expose the whole secret data of the web application.
Categories:

If You Like This Post, Share it With Your Friends


Subscribe us to receive free updates in your inbox:


0 comments:

Post a Comment

Featured FREE Resource:
X




Security Tools

Loading...
Share
Get This

About Me

My Photo
Deepanker Verma
I am Deepanker Verma. A computer geek, Security researcher blogger and software developer. I have deep interest and Information security and web development and try to learn new things. you will see my blogs on hackingtricks, TechlomediaWebtips and Usethistip.

I was also honoured by Apple, Ebay, Symantec, PandaSecurity and various other computer software giants for my security work for their company. I also contribute on some opensource projects regularly.

I also own a web app called NoteDIP that allows users to send self-destructive messages with password protection.

You can add me to circles to get my daily tips :)

View my complete profile

Partners

Blog Archive

Copyright © Hacking Tricks. All rights reserved. Blogger template designed by BLog Bamz