This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Category:Cryptographic Vulnerability

Jump to: navigation, search

This category is for tagging vulnerabilities that related to cryptographic modules.


  • Algorithm Problems
    • Insecure Algorithm
      • Use algorithms that are proven flawed or weak (DES, 3DES, MD5, Sha1, AES, Blowfish, Diffie Hellman)
      • Use non-standard (home-grown) algorithms
    • Choose the wrong algorithm
      • Use hash function for encryption
      • Use encryption algorithm for hashing
    • Inappropriate use of an algorithm
      • Use insecure encryption modes (DES EBC)
      • Initial vector is not random
    • Implementation errors
      • Use non-standard cryptographic implementations/libraries
  • Key Management Problems
    • Weak keys
      • Too short or not random enough
      • Use human chosen passwords as cryptographic keys
    • Key disclosure
      • Keys not encrypted during storage or transmission
      • Keys not cleaned appropriately after use
      • Keys Hard-coded in the code or stored in configuration files
    • Key updates
      • Allow keys aging
  • Random Number Generator (RNG) Problems
    • Poor random number generators (c: rand(), Java: java.util.Random())
    • Forget to seed the random number generator
    • Use the same seed for the random number generator every time
    • Sniffing
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.