Cryptography
As we are aware, encryption helps keep data confidential; it plays an important role in web application security as well. Both encryption of data at rest and encryption of data in transit have to be considered while building a secure web application.
OWASP mapping
Cryptography-related vulnerabilities are part of the OWASP Top 10 2017. They are covered under A3:2017 Sensitive Data Exposure. Some of the vulnerabilities listed under this category are as follows:
- Applications transmitting data in clear text. This concerns protocols such as HTTP, SMTP, and FTP.
- Application using old or weak cryptographic algorithms.
- Application using the default crypto keys.
- Application not enforcing encryption.
- Application not encrypting user sensitive information while in storage.
- Application using an invalid SSL certificate.
Qualys provides an excellent online tool for testing SSL certificates. The following images show sample results from the Qualys SSL test, which can be accessed at https://www.ssllabs...