Encryption Weaknesses: In web application, encryption plays a vital role because sensitive information is frequently exchanged between client and server in the form of logons or other types of information.
When securing web applications, you must consider the safety of information at two stages: when it is stored and when it is transmitted.
Both stages are potential areas for attack. When considering encryption and its impact on the application, focus on these areas of concern:
Weak Ciphers: Weak ciphers or encoding algorithms are those that use short keys or are poorly designed and implemented.
Use of such weak ciphers can allow an attacker to decrypt data easily and gain unauthorized access to the information.
It is important that you never underestimate the value of the data being stored, processed, or transmitted by your web application.
Consider the data you store for your clients and how to protect it. Sensitive information such as credit card data and Social Security numbers should never be transmitted.
If this type of information needs to be stored, always use the strongest encryption possible or mandated, such as AES 256 or RSA 2048.
If it does not need to be stored, don’t store it. If you need to process payments that will involve this data, use a payment processor that is PCI complaint so you don’t have to take on that task.
Vulnerable Software: Some software implementation that encrypts the transmission of data, such as Secure Sockets Layer (SSL), may suffer from poor programming and thus become vulnerable to attacks such as buffer overflows.
Some tools and resources are available to help in assessing the security of web application and their associated encryption strategies.
- OpenSSL, an open source toolkit used to implement the SSLv3 and TLS v1 protocols: openssl.org.
- The OWASP guide to common cryptographic flaws: www.owasp.org .
- Nessus Vulnerability Scanner, which can list the ciphers in use by a web servers: nessus.org
- WinSSLMiM, which can be used to perform an HTTPS man-in-the-middle attack: securiteinfo.com/outils/WinSSLMiM.shtml
- Stunnel, a program that allows the encryption of non-SSL-aware protocols: www.stunnel .org
In late 2014 an attack came to the attention of the security world known as the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.
This attack showed the vulnerabilities introduced by using legacy protocols with weak encryption.
POODLE was designed to take advantage of browser communications that use SSL 3.0 to provide encryption and authentication services.
In practice, SSL has been superseded by Transport Layer Security (TLS) as a mean to provide secure data transmission over the internet.
The situation that allows this attack to take place occurs when a browser doesn’t support TLS but does support SSL 3.0.
When the browser encounters a situation where TLS is not an option, it reverts to SSL 3.0 as its encryption option.
An attacker noticing this situation can insert themselves into the communication session and force the browser to use SSL 3.0 instead.
It an attacker is able to successfully exploit this situation, they can then exploit a design defect in the SSL 3.0 technology to carry the attack further.
The defect allows an attacker to alter the padding at the end of each blog and this it make it less secure.
If this attack continues, the attacker can eventually gain access to resource and data they should not be able to have.
In order to prevent this attack, the browser and servers should be configured in such a way as to prevent the use of SSL 3.0.