A range of vulnerabilities can be classified as Sensitive Data Exposure, with the common theme that they involve accidental exposure of sensitive information that should have been cryptographically secured.
Most commonly, vulnerable applications simply don’t encrypt sensitive data at all, storing it in a database that may be compromised by SQL injection or other types of attacks.
Another common mistake is to use weak cryptographic algorithms or keys. With the advent of powerful GPUs and ASICs, attackers are now capable of carrying out brute force attacks against weak cryptographic algorithms, such as MD5, which many considered a suitable password hashing algorithm only a few years ago.
In this example, we consider a web application that allows users to sign in and manage their data. When the user signs in, their unique ID is stored in a cryptographically secured session cookie on their computer.
When building the application, the developers used a framework that includes
functionality for securely storing session data using cookies. One of the
configuration options of the framework is a “secret key”. This is the key
that is used to encrypt and decrypt the cookie that is stored on the users
computer. In this case, the developers started out by simply setting the
key to my secret key and never got around to generating a proper
cryptographic key.
An attacker is looking to gain access to the private data of arbitrary users.
Upon visits the web application and receiving a session cookie, the attacker
runs a brute force hashing application on a powerful GPU and within a few
minutes finds the key that will decrypt the cookie, my secret key. Using
this key, the attacker can now generate a session cookie with another users
unique ID and thus sign in as any user without knowing their password.
The primary way to defend against attackers gaining access to sensitive data is through thorough review of the application code and environment. When we review applications, we focus particularly on the proper usage of secure cryptographic algorithms, safe storage of secret keys, transport security and identify any occurrences of missing cryptographic protection.
More useful information may be found at:
We provide code security reviews as a service. Based on our extensive experience in the field of sofware engineering and IT security, we know how to efficiently review entire code bases and identify security critical parts of the software.
This enables us to provide our security code review service at a fixed rate per review, providing our customers a transparent, efficient and reliable process.
Fixed Price per Review
