# Cryptographic Failures (A02:2021)

Failures related to cryptography which often lead to sensitive data exposure. This was previously known as Sensitive Data Exposure.

## Overview

Shifting up one position to #2, previously known as Sensitive Data Exposure. The focus is on failures related to cryptography which often leads to sensitive data exposure or system compromise.

## How Attackers Exploit This

### Data exposure in transit

Sensitive data transmitted over unencrypted connections can be intercepted. This includes passwords, session tokens, and personal information.

**Detection signal:** HTTP (not HTTPS) requests containing authentication data or sensitive information

### Weak cryptographic storage

Data stored with weak or broken encryption (MD5, SHA1, DES) can be recovered by attackers who gain database access.

**Detection signal:** Database dumps containing hashed passwords with known weak algorithms

## How to Prevent

- Classify data processed, stored, or transmitted by an application
- Don't store sensitive data unnecessarily
- Encrypt all sensitive data at rest
- Use up-to-date and strong standard algorithms and protocols
- Encrypt all data in transit with secure protocols such as TLS
- Disable caching for responses containing sensitive data
- Store passwords using strong salted hashing functions

## CWEs with Detection Rules (8)

- **CWE-319**: Cleartext Transmission of Sensitive Information (6 rules) [go, kubernetes, yaml, python]
- **CWE-327**: Use of a Broken or Risky Cryptographic Algorithm (4 rules) [go, javascript, typescript, python]
- **CWE-338**: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (4 rules) [go, javascript, typescript, python]
- **CWE-347**: Improper Verification of Cryptographic Signature (4 rules) [python, go, javascript, typescript]
- **CWE-326**: Inadequate Encryption Strength (2 rules) [python]
- **CWE-916**: Use of Password Hash With Insufficient Computational Effort (2 rules) [javascript, typescript, python]
- **CWE-321**: Use of Hard-coded Cryptographic Key (1 rules) [javascript, typescript]
- **CWE-330**: Use of Insufficiently Random Values (1 rules) [go]

## Other Mapped CWEs (22)

- CWE-261: CWE-261
- CWE-296: CWE-296
- CWE-310: CWE-310
- CWE-322: CWE-322
- CWE-323: CWE-323
- CWE-324: CWE-324
- CWE-325: CWE-325
- CWE-328: CWE-328
- CWE-329: CWE-329
- CWE-331: CWE-331
- CWE-335: CWE-335
- CWE-336: CWE-336
- CWE-337: CWE-337
- CWE-339: CWE-339
- CWE-340: CWE-340
- CWE-523: CWE-523
- CWE-720: CWE-720
- CWE-757: CWE-757
- CWE-759: CWE-759
- CWE-760: CWE-760
- CWE-780: CWE-780
- CWE-818: CWE-818

## Quick Reference

- Total CWEs: 30
- With Shoulder rules: 8
- Detection rules: 24
- Critical rules: 2