<!DOCTYPE html> <html lang=""> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="description" content="A3:2017-Sensitive Data Exposure on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software."> <meta property="og:description" content="A3:2017-Sensitive Data Exposure on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software."> <meta propery="og:title" content="OWASP Top Ten 2017 | A3:2017-Sensitive Data Exposure | OWASP Foundation"> <meta property="og:url" content="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html"> <meta property="og:locale" content="en_US"> <!-- should probably look at using article at some point for www-community at least --> <meta property="og:type" content="website" /> <meta property="og:image" content="https://owasp.org/www--site-theme/favicon.ico" /> <meta http-equiv="X-Content-Type-Options" content="nosniff"> <meta http-equiv="X-XSS-Protection" content="1; mode=block"> <link rel="canonical" href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure" /> <!-- Global site tag (gtag.js) - Google Analytics --> <!-- <script async src="https://www.googletagmanager.com/gtag/js?id=UA-4531126-1"></script> --> <!-- <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-4531126-1'); </script> --> <!-- Google Analytics --> <script src="https://owasp.org/www--site-theme/assets/js/js.cookie.min.js"></script> <script> if(Cookies.get('cookies-ok') == 'true' && window.ga === undefined) { window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date; ga('create', 'UA-4531126-1', 'auto'); ga('send', 'pageview'); } else if (Cookies.get('cookies-ok') == 'true') { ga('send', 'pageview'); } function handleOutboundLinkClicks(event) { var href = ''; if(event.target.href == undefined) href = event.target.parentElement.href; else href = event.target.href if(Cookies.get('cookies-ok') == 'true'){ ga('send', 'event', { eventCategory: 'Outbound Link', eventAction: 'click', eventLabel: href, transport: 'beacon' }); } } </script> <script async src='https://www.google-analytics.com/analytics.js'></script> <!-- End Google Analytics --> <link rel="stylesheet" href="https://owasp.org/www--site-theme/assets/css/styles.css"> <link rel="shortcut icon" type="images/x-icon" href="https://owasp.org/www--site-theme/favicon.ico"> <script src="https://owasp.org/www--site-theme/assets/js/jquery-3.7.1.min.js"></script> <script src="https://owasp.org/www--site-theme/assets/js/util.js"></script> <script src="https://owasp.org/www--site-theme/assets/js/yaml.min.js"></script> <script src="https://owasp.org/www--site-theme/assets/js/kjua.min.js"></script> <title>OWASP Top Ten 2017 | A3:2017-Sensitive Data Exposure | OWASP Foundation</title> <script type="text/javascript"> $(function(){ var baseurl = "https://github.com/OWASP/www-project-top-ten/blob/master/"; var path = "2017/A3_2017-Sensitive_Data_Exposure.md"; $('.repo').html('<a href=' + baseurl + path + '><div class="reset-3c756112--menuItemIcon-206eb252" style="float: left;"><svg preserveAspectRatio="xMidYMid meet" height="1em" width="1em" fill="currentColor" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 438.549 438.549" stroke="none" class="icon-7f6730be--text-3f89f380"><g><path d="M409.132 114.573c-19.608-33.596-46.205-60.194-79.798-79.8-33.598-19.607-70.277-29.408-110.063-29.408-39.781 0-76.472 9.804-110.063 29.408-33.596 19.605-60.192 46.204-79.8 79.8C9.803 148.168 0 184.854 0 224.63c0 47.78 13.94 90.745 41.827 128.906 27.884 38.164 63.906 64.572 108.063 79.227 5.14.954 8.945.283 11.419-1.996 2.475-2.282 3.711-5.14 3.711-8.562 0-.571-.049-5.708-.144-15.417a2549.81 2549.81 0 0 1-.144-25.406l-6.567 1.136c-4.187.767-9.469 1.092-15.846 1-6.374-.089-12.991-.757-19.842-1.999-6.854-1.231-13.229-4.086-19.13-8.559-5.898-4.473-10.085-10.328-12.56-17.556l-2.855-6.57c-1.903-4.374-4.899-9.233-8.992-14.559-4.093-5.331-8.232-8.945-12.419-10.848l-1.999-1.431c-1.332-.951-2.568-2.098-3.711-3.429-1.142-1.331-1.997-2.663-2.568-3.997-.572-1.335-.098-2.43 1.427-3.289 1.525-.859 4.281-1.276 8.28-1.276l5.708.853c3.807.763 8.516 3.042 14.133 6.851 5.614 3.806 10.229 8.754 13.846 14.842 4.38 7.806 9.657 13.754 15.846 17.847 6.184 4.093 12.419 6.136 18.699 6.136 6.28 0 11.704-.476 16.274-1.423 4.565-.952 8.848-2.383 12.847-4.285 1.713-12.758 6.377-22.559 13.988-29.41-10.848-1.14-20.601-2.857-29.264-5.14-8.658-2.286-17.605-5.996-26.835-11.14-9.235-5.137-16.896-11.516-22.985-19.126-6.09-7.614-11.088-17.61-14.987-29.979-3.901-12.374-5.852-26.648-5.852-42.826 0-23.035 7.52-42.637 22.557-58.817-7.044-17.318-6.379-36.732 1.997-58.24 5.52-1.715 13.706-.428 24.554 3.853 10.85 4.283 18.794 7.952 23.84 10.994 5.046 3.041 9.089 5.618 12.135 7.708 17.705-4.947 35.976-7.421 54.818-7.421s37.117 2.474 54.823 7.421l10.849-6.849c7.419-4.57 16.18-8.758 26.262-12.565 10.088-3.805 17.802-4.853 23.134-3.138 8.562 21.509 9.325 40.922 2.279 58.24 15.036 16.18 22.559 35.787 22.559 58.817 0 16.178-1.958 30.497-5.853 42.966-3.9 12.471-8.941 22.457-15.125 29.979-6.191 7.521-13.901 13.85-23.131 18.986-9.232 5.14-18.182 8.85-26.84 11.136-8.662 2.286-18.415 4.004-29.263 5.146 9.894 8.562 14.842 22.077 14.842 40.539v60.237c0 3.422 1.19 6.279 3.572 8.562 2.379 2.279 6.136 2.95 11.276 1.995 44.163-14.653 80.185-41.062 108.068-79.226 27.88-38.161 41.825-81.126 41.825-128.906-.01-39.771-9.818-76.454-29.414-110.049z"></path></g></svg><span style="padding-left:8px;">Edit on Github</span></div></a>'); }); </script> </head> <body class="base-grid full-width"> <div id="blocker"></div> <noscript>For full functionality of this site it is necessary to enable JavaScript. Here are the <a href="http://turnonjs.com/"> instructions how to enable JavaScript in your web browser</a>.</noscript> <header role="banner"> <div id="banner" class="notice" aria-label="announcement"> </div> <style> #banner img { max-width: 30em; } @media (max-width: 1131px) { #banner img { max-width: 30em; } } @media (max-width: 800px) { #banner img { max-width: 20em; } } @media (max-width: 600px) { #banner img { max-width: 20em; } } @media (max-width: 450px) { #banner img { max-width: 250px; } } </style> <script type="text/javascript"> $(function () { var bannerdata = []; banneryaml = YAML.load('https://owasp.org/www-project-top-ten/assets/sitedata/banner-data.yml'); $.each(banneryaml, function (index) { bannerdata.push(this); }); if (bannerdata.length > 0) { var htmlstring = ""; var usebanner = null; var defbanner = null; var checkdate = new Date(); //local time but who cares about the time? bannerdata.forEach(data => { if (data.start) { var start = data.start; if (data.start <= checkdate) { if (data.end) { var end = data.end; if (checkdate < end) { usebanner = data; } } else usebanner = data; } } else { defbanner = data; } }); if (defbanner && !usebanner) usebanner = defbanner; if (usebanner) { htmlstring = usebanner.text; htmlstring += "<a href='#' id='close-banner' aria-label='close announcement' style='float:right;'><i class='fa fa-times'></i></a>"; $("#banner").html(htmlstring); $("#banner").removeClass("notice"); $("#banner").addClass(usebanner.type); $("#close-banner").click(function() { $(this).closest("#banner").remove(); Cookies.set('banner-seen', 'true', { expires: 7 }); }); } } }); </script> <div id="popup" class="notice" aria-label="announcement"> </div> <style> #banner img { max-width: 30em; } @media (max-width: 1131px) { #banner img { max-width: 30em; } } @media (max-width: 800px) { #banner img { max-width: 20em; } #popup { visibility: hidden; } } @media (max-width: 600px) { #popup { visibility: hidden; } #banner img { max-width: 20em; } } @media (max-width: 450px) { #banner img { max-width: 250px; } #popup { visibility: hidden; } } </style> <script type="text/javascript"> $(function () { var popdata = []; $("#popup").hide(); popyaml = YAML.load('https://owasp.org/www-project-top-ten/assets/sitedata/popup-data.yml'); $.each(popyaml, function (index) { popdata.push(this); }); if (popdata.length > 0) { var htmlstring = ""; var usepop = null; var defpop = null; var checkdate = new Date(); //local time but who cares about the time? popdata.forEach(data => { if (data.start) { var start = data.start; if (data.start <= checkdate) { if (data.end) { var end = data.end; if (checkdate < end) { usepop = data; } } else usepop = data; } } else { defpop = data; } }); if (defpop && !usepop) usepop = defpop; if (usepop) { htmlstring = usepop.text; htmlstring += "<a href='#' id='close-popup' aria-label='close announcement' style='float:right;'><i class='fa fa-times'></i></a>"; $("#popup").html(htmlstring); $("#popup").removeClass("notice"); $("#popup").addClass(usepop.type); if( Cookies.get('popup-seen')!='true') { $("#popup").show(); } $("#close-popup").click(function() { $(this).closest("#popup").remove(); Cookies.set('popup-seen', 'true', { expires: 7 }); }); } } }); </script> <div class="header-wrapper" aria-label="main navigation"> <nav class="alt-nav"> <a href="#" class="menu-toggler" aria-hidden="true"> <i class="fa fa-bars"></i> </a> <a href="https://owasp.org/" class="alt-logo" aria-label="go to homepage"> <img src="https://owasp.org/assets/images/logo.png" alt="OWASP logo"> </a> <div id="overlay" class="remove-el"> </div> <!-- jekyll menu stuff --> </nav> <nav class="top-nav" role="navigation" aria-label="primary navigation"> <a href="https://owasp.org/" class="desktop-logo" aria-label="go to homepage"> <img src="https://owasp.org/assets/images/logo.png" alt=""> </a> <!-- jekyll menu stuff --> <div id="midmenu" class="top-nav"></div> <div class="interactive-wrapper"> <div class="nav-button" aria-label="donate to or join OWASP"> <a href="https://owasp.org/store" class="cta-button white inset"><i class="fa fa-shopping-cart" aria-hidden="true"></i> Store</a> <a href="https://owasp.org/donate?reponame=www-project-top-ten&title=A3%3A2017-Sensitive+Data+Exposure" class="cta-button green">Donate</a> <a href="https://owasp.org/membership" class="cta-button">Join</a> </div> </div> </nav> <div id='disclaimer-container'> <div id="disclaimer"> <p>This website uses cookies to analyze our traffic and only share that information with our analytics partners.</p><a class="disclaimerOK">Accept</a> </div> <div id="close-disclaimer">x</div> </div> </div> <div class="mobile" style="width:100%;display: flex; justify-content: space-evenly;align-items: center;padding: 8px; background-color: #98afc7;"> <div><a href="https://owasp.org/store" class="cta-button white inset"><i class="fa fa-shopping-cart" aria-hidden="true"></i>Store</a></div> <div><a href="https://owasp.org/donate?reponame=www-project-top-ten&title=A3%3A2017-Sensitive+Data+Exposure" class="cta-button green">Donate</a></div> <div><a href="https://owasp.org/membership" class="cta-button">Join</a></div> </div> <script type="text/javascript"> $(function(){ url = $(location).attr('href'); if(url.includes('www2')) { url = url.replace(/www2./, ''); $(location).attr('href',url); return; } // this works to get data from a json file NOT in data $.getJSON("https://owasp.org/www--site-theme/assets/sitedata/menus.json", function(data) { var listr = "<ul aria-label='header menu'>"; var mlistr = "<ul class='mobile-menu hide-el' role='navigation' aria-label='mobile primary navigation'>"; mlistr += "<li><a href='#' class='menu-toggler' aria-hidden='true'><i class='fa fa-times'></i></a></li>"; mlistr += "<li>"; mlistr += "<form role='search' method='get' action='https://owasp.org/search'>"; mlistr += "<div class='search-div'>"; mlistr += "<input id='searchString' aria-label='search input' name='searchString' class='search-bar' type='search' placeholder='Search OWASP.org' required='true'>"; mlistr += "<button id='search-button' aria-label='search button' type='submit' class='fa fa-search' style='padding-left: 8px;'></button></div></form>"; mlistr += "</li>"; $.each(data.menus, function (ndx, menu){ listr += "<li><a href='" + menu.url + "'>" + menu.title + "</a>"; searchitem = issearch(menu.title); if(!menu.items && !searchitem) { mlistr += "<li><a href='" + menu.url + "'>" + menu.title + "</a>"; } if(menu.items){ listr += "<ul class='dropdown-menu'>"; if(!searchitem) { mlistr += "<button class='accordion'>" + menu.title + "</button>"; mlistr += "<div class='panel'>"; mlistr += "<ul>"; } $.each(menu.items, function(ndx, item){ if(item.separator) { listr += "<li class='separator'>"; if(!searchitem) mlistr += "<li class='separator'>"; } else { listr += "<li>"; if(!searchitem) mlistr += "<li>"; } listr += "<a href='" + item.url + "'"; if(!searchitem) mlistr += "<a href='" + item.url + "'"; if(item.opentab) { listr += " target='_blank' rel='noopener noreferrer'"; if(!searchitem) mlistr += " target='_blank' rel='noopener noreferrer'"; } listr += ">" + item.title + "</a></li>"; if(!searchitem) mlistr += ">" + item.title + "</a></li>"; }); listr += "</ul>"; if(!searchitem){ mlistr += "</ul>"; mlistr += "</div>"; } } listr += "</li>"; if(!searchitem) mlistr += "</li>"; }); listr += "</ul>"; mlistr += "<li><a href='https://owasp.org/donate'>MAKE A DONATION</a></li>"; mlistr += "<li><a href='https://owasp.org/membership'>BECOME A MEMBER</a></li>"; mlistr += "<li><a href='https://owasp.org/sitemap'>SITEMAP</a></li>"; mlistr += "</ul>"; //$('.desktop-logo').after(listr); $('#midmenu').html(listr); $('#overlay').after(mlistr); $(".accordion").click(function () { $(this).toggleClass("active"); if($(this).next('.panel').css('display') == 'block'){ $(this).next('.panel').css('display', 'none'); } else { $(this).next('.panel').css('display', 'block'); } }); $(".menu-toggler").click(function() { $(".mobile-menu").toggleClass('hide-el'); }); }); }); function issearch(title) { return title.indexOf('fa fa-search') > -1; } </script> </header> <main role="main"> <div class="main-wrapper"><div id="main" class="page-body tab" role="tabpanel" aria-labelledby="main-link" tabindex="0"> <div class="doc-title">OWASP Top Ten 2017</div> <table style="width: 100%; margin: 0; border: 0; padding: 0; border: 0; background-color: white;"> <tr style="background-color: white; border: 0; margin:0;"> <td style="width: 67%; text-align: left; border: 0; border-width: 0; margin:0;"> <h1 class="page-title">A3:2017-Sensitive Data Exposure</h1> </td> <td style="width: 33%; text-align: right; border: 0; border-width: 0; margin:0;">Languages: [en] <a href="/www-project-top-ten/2017/de/A3_2017-Verlust_der_Vertraulichkeit_sensibler_Daten" class="de">de</a></td> </tr> </table> <nav role="navigation" aria-label="navigate page"> <table style="width: 100%;"> <tr style="background-color: white; border: 0;"> <td style="width: 33%; text-align: left; border: 0;"><a href="/www-project-top-ten/2017/A2_2017-Broken_Authentication"><span style="font-size:120%;">&#8592;&#160;</span>A2:2017-Broken Authentication</a></td><td style="width: 33%; text-align: center; border: 0;"> <center><a href="/www-project-top-ten/2017/" title="OWASP Top Ten 2017"> OWASP Top Ten 2017 </a><br> <p><a href="https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010-2017%20(en).pdf" title="OWASP Top Ten 2017.pdf">PDF version</a></p> </center></td> <td style="width: 33%; text-align:right; border: 0;"><a href="/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">A4:2017-XML External Entities (XXE)<span style="font-size:120%;">&#160;&#8594;</span></a></td> </tr> </table> </nav> <section id='div-main' class='page-body tab'> <center><table style=" width: 100%; align:center; border-collapse: collapse; text-align:center; margin: 0px 0px 10px 0px; border: 3px solid #444444; background-color: transparent; padding=2;"> <tr style="font-weight: bold; background-color: #4a1647; border: 3px solid #444444; height: 2em; font-size: 130%; color: #FFFFFF; text-shadow: 2px 2px 8px #000000;"> <th width="33%" colspan="2" style="border: 3px solid #444444;">Threat Agents / Attack Vectors</th> <th width="33%" colspan="2" style="border: 3px solid #444444;">Security Weakness</th> <th width="33%" colspan="2" style="border: 3px solid #444444;">Impacts</th> </tr> <tr> <td style="font-weight: bold; border: 3px solid #444444; background-color: #D9D9D9; color: #000000;">App. Specific</td> <td style="font-weight: bold; border: 3px solid #444444;background-color: #FC9803; color: #000000" width="16.5%">Exploitability: 2 </td> <td style="font-weight: bold; border: 3px solid #444444;background-color: #E65000; color: #FFFFFF" width="16.5%">Prevalence: 3 </td> <td style="font-weight: bold; border: 3px solid #444444;background-color: #FC9803; color: #000000" width="16.5%">Detectability: 2 </td> <td style="font-weight: bold; border: 3px solid #444444;background-color: #E65000; color: #FFFFFF" width="16.5%">Technical: 3 </td> <td style="font-weight: bold; background-color: #D9D9D9; color: #000000; border: 3px solid #444444">Business ?</td> </tr><tr><td colspan="2" style="vertical-align: top; text-align: left; border: 3px solid #444444; background-color: #F2F1FF;"> <div>Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user鈥檚 client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).</div></td><td colspan="2" style="vertical-align: top; text-align: left; border: 3px solid #444444; background-color: #F2F1FF;"> <div>Over the last few years, this has been the most common impactful attack. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. For data in transit, server-side weaknesses are mainly easy to detect, but hard for data at rest.</div></td><td colspan="2" style="vertical-align: top; text-align: left; border: 3px solid #444444; background-color: #F2F1FF;"> <div>Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws.</div></td> </tr> </table></center> <table style="border: none; text-align: left; width: 100%; margin: 0px 0px 10px 0px; border-spacing:5px 5px;"><tr> <td style="vertical-align: top; padding: 5px; width: 50%; border: 3px solid #4a1647; background-color: #F2F1FF;"> <div style="font-style: bold; color: #4a1647; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px; font-size: 150%;">Is the Application Vulnerable?</div> <div>The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU鈥檚 General Data Protection Regulation (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data:<br /> * Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems.<br /> * Are any old or weak cryptographic algorithms used either by default or in older code?<br /> * Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing?<br /> * Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing?<br /> * Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?<br /> See <a href="/www-project-application-security-verification-standard">ASVS Crypto (V7), Data Protection (V9), and SSL/TLS (V10)</a></div></td> <td style="vertical-align: top; padding: 5px; width: 50%; border: 3px solid #4a1647; background-color: #F2F1FF;"> <div style="font-style: bold; color: #4a1647; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px; font-size: 150%;">How to Prevent</div> <div>Do the following, at a minimum, and consult the references:<br /> * Classify data processed, stored or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.<br /> * Apply controls as per the classification.<br /> * Don鈥檛 store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.<br /> * Make sure to encrypt all sensitive data at rest.<br /> * Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.<br /> * Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (<a href="https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html">HSTS</a>).<br /> * Disable caching for response that contain sensitive data.<br /> * Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as <a href="https://www.cryptolux.org/index.php/Argon2">Argon2</a>, <a href="https://wikipedia.org/wiki/Scrypt">scrypt</a>, <a href="https://wikipedia.org/wiki/Bcrypt">bcrypt</a> or <a href="https://wikipedia.org/wiki/PBKDF2">PBKDF2</a>.<br /> * Verify independently the effectiveness of configuration and settings.</div></td></tr> <tr> <td style="vertical-align: top; padding: 5px; width: 50%; border: 3px solid #4a1647; background-color: #F2F1FF;"> <div style="font-style: bold; color: #4a1647; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px; font-size: 150%;">Example Attack Scenarios</div> <div><strong>Scenario #1</strong>: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text.<br /> <strong>Scenario #2</strong>: A site doesn鈥檛 use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g. at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user鈥檚 session cookie. The attacker then replays this cookie and hijacks the user鈥檚 (authenticated) session, accessing or modifying the user鈥檚 private data. Instead of the above they could alter all transported data, e.g. the recipient of a money transfer.<br /> <strong>Scenario #3</strong>: The password database uses unsalted or simple hashes to store everyone鈥檚 passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.<br /></div></td> <td style="vertical-align: top; padding: 5px; width: 50%; border: 3px solid #4a1647; background-color: #F2F1FF;"> <div style="font-style: bold; color: #4a1647; border-bottom: #999999 solid 1px; margin-bottom: 3px; padding-bottom: 3px; font-size: 150%;">References</div> <div><strong>OWASP</strong><br /> * <a href="/www-project-proactive-controls/v3/en/c8-protect-data-everywhere">OWASP Proactive Controls: Protect Data Everywhere</a><br /> * <a href="/www-project-application-security-verification-standard">OWASP Application Security Verification Standard (V7, 9, 10)</a><br /> * <a href="https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html">OWASP Cheat Sheet: Transport Layer Protection</a><br /> * <a href="https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html">OWASP Cheat Sheet: User Privacy Protection</a><br /> * <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html">OWASP Cheat Sheet: Password and Cryptographic Storage</a><br /> * <a href="https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html">OWASP Cheat Sheet: HSTS</a><br /> * <a href="/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/README">OWASP Testing Guide: Testing for weak cryptography</a><br /> <br /> <strong>External</strong><br /> * <a href="https://cwe.mitre.org/data/definitions/202.html">CWE-202: Exposure of sens. information through data queries</a><br /> * <a href="https://cwe.mitre.org/data/definitions/310.html">CWE-310: Cryptographic Issues</a><br /> * <a href="https://cwe.mitre.org/data/definitions/311.html">CWE-311: Missing Encryption</a><br /> * <a href="https://cwe.mitre.org/data/definitions/312.html">CWE-312: Cleartext Storage of Sensitive Information</a><br /> * <a href="https://cwe.mitre.org/data/definitions/319.html">CWE-319: Cleartext Transmission of Sensitive Information</a><br /> * <a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Weak Encryption</a><br /> * <a href="https://cwe.mitre.org/data/definitions/327.html">CWE-327: Broken/Risky Crypto</a><br /> * <a href="https://cwe.mitre.org/data/definitions/359.html">CWE-359: Exposure of Private Information (Privacy Violation)</a> </div> </td></tr> </table> </section> <nav role="navigation" aria-label="navigate page"> <table style="width: 100%;"> <tr style="background-color: white; border: 0;"> <td style="width: 33%; text-align: left; border: 0;"><a href="/www-project-top-ten/2017/A2_2017-Broken_Authentication"><span style="font-size:120%;">&#8592;&#160;</span>A2:2017-Broken Authentication</a></td><td style="width: 33%; text-align: center; border: 0;"> <center><a href="https://owasp.org/www-project-top-ten" title="OWASP Top Ten Project"> OWASP Top Ten Project </a><br> <p><a href="https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010-2017%20(en).pdf" title="OWASP Top Ten 2017.pdf">PDF version</a></p> </center></td><td style="width: 33%; text-align:right; border: 0;"><a href="/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE)">A4:2017-XML External Entities (XXE)<span style="font-size:120%;">&#160;&#8594;</span></a></td> </tr> </table> </nav> </div> <hr> <div class="repo"> </div> </main> <footer> <section class="footer-wrapper"> <section class="social"> <a href="https://github.com/OWASP/" aria-label="github organization" target="_blank" rel="noopener noreferrer"><i class="fa fa-lg fa-github"></i></a> <a href="https://owasp.org/slack/invite" aria-label="slack group" target="_blank" rel="noopener noreferrer"><i class="fa fa-lg fa-slack"></i></a> <a href="https://www.facebook.com/OWASPFoundation" aria-label="facebook group" target="_blank" rel="noopener noreferrer"><i class="fa fa-lg fa-facebook-square"></i></a> <!-- Mastodon Icon will not load; FA instance is too old. Use the SVG instead--> <a href="https://infosec.exchange/@owasp" aria-label="mastodon account" target="_blank" rel="me"><svg xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 448 512"><!--!Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free Copyright 2024 Fonticons, Inc.--><path d="M433 179.1c0-97.2-63.7-125.7-63.7-125.7-62.5-28.7-228.6-28.4-290.5 0 0 0-63.7 28.5-63.7 125.7 0 115.7-6.6 259.4 105.6 289.1 40.5 10.7 75.3 13 103.3 11.4 50.8-2.8 79.3-18.1 79.3-18.1l-1.7-36.9s-36.3 11.4-77.1 10.1c-40.4-1.4-83-4.4-89.6-54a102.5 102.5 0 0 1 -.9-13.9c85.6 20.9 158.7 9.1 178.8 6.7 56.1-6.7 105-41.3 111.2-72.9 9.8-49.8 9-121.5 9-121.5zm-75.1 125.2h-46.6v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.3V197c0-58.5-64-56.6-64-6.9v114.2H90.2c0-122.1-5.2-147.9 18.4-175 25.9-28.9 79.8-30.8 103.8 6.1l11.6 19.5 11.6-19.5c24.1-37.1 78.1-34.8 103.8-6.1 23.7 27.3 18.4 53 18.4 175z"/></svg></a> <!-- Twitter X Icon will not load; I suspect another dependency (Jekyll?) is using an older version that is conflicting. So use the SVG instead--> <a href="https://twitter.com/owasp" aria-label="twitter account" target="_blank" rel="noopener noreferrer"><svg xmlns="http://www.w3.org/2000/svg" height="24" width="24" viewBox="0 0 512 512"><!--!Font Awesome Free 6.5.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free Copyright 2024 Fonticons, Inc.--><path d="M389.2 48h70.6L305.6 224.2 487 464H345L233.7 318.6 106.5 464H35.8L200.7 275.5 26.8 48H172.4L272.9 180.9 389.2 48zM364.4 421.8h39.1L151.1 88h-42L364.4 421.8z"/></svg></a> <a href="https://www.linkedin.com/company/owasp/" aria-label="linkedin account" target="_blank" rel="noopener noreferrer"><i class="fa fa-lg fa-linkedin"></i></a> <a href="https://www.youtube.com/user/OWASPGLOBAL" aria-label="youtube account" target="_blank" rel="noopener noreferrer"><i class="fa fa-lg fa-youtube-square"></i></a> </section> <nav class="bot-nav" role="navigation" aria-label="secondary navigation"> <ul> <li><a href="/">HOME</a></li> <li><a href="/projects/">PROJECTS</a></li> <li><a href="/chapters/">CHAPTERS</a></li> <li><a href="/events/">EVENTS</a></li> <li><a href="/about/">ABOUT</a></li> <li><a href="/www-policy/operational/privacy">PRIVACY</a></li> <li><a href="/sitemap/">SITEMAP</a></li> <li><a href="/contact/">CONTACT</a></li> </ul> </nav> <p class="disclaimer"> Open Web Application Security Project, OWASP, Global AppSec, AppSec Days, AppSec California, SnowFROC, LASCON, and the OWASP logo are trademarks of the OWASP Foundation. Unless otherwise specified, all content on the site is Creative Commons Attribution-ShareAlike v4.0 and provided without warranty of service or accuracy. For more information, please refer to our <a href="/www-policy/operational/general-disclaimer.html">General Disclaimer</a>. Copyright 2024, OWASP Foundation, Inc. </p> </section> </footer> </body> </html>