Testing For Insecure Cryptographic Storage
If you are not already familiar with the concept of Insecure Cryptographic Storage, please see the article entitled “What Is Insecure Cryptographic Storage“.
Note that you do not really “test” for this vulnerability, as it is a design or deployment decision and should be transparent to the user. Thus, detecting this vulnerability is straightforward in white-box testing scenarios, and very difficult in black-box testing scenarios. In a white-box testing scenario, you should investigate the following:
- Contact the database administrator (if applicable) to learn if database encryption is enabled
- Contact the development team to learn if the application itself is performing encryption
- Review the source code looking for encryption/decryption operations
In a black-box scenario, if you encounter an error message generated by a database exception and it contains encrypted data, you know that application data is encrypted at rest. Otherwise the test is inconclusive because you have no insight into the encryption status of the database.
For insight into how to avoid or fix Insecure Cryptographic Storage, please see the article entitled “How To Prevent Insecure Cryptographic Storage“.
About Affinity IT Security
We hope you found this article to be useful. Affinity IT Security is available to help you with your security testing and train your developers and testers. In fact, we train developers and IT staff how to hack applications and networks.
Perhaps it was a network scan or website vulnerability test that brought you here. If so, you are likely researching how to find, fix, or avoid a particular vulnerability. We urge you to be proactive and ensure that key individuals in your organization understand not only this issue, but also are more broadly aware of application security.
Contact us to learn how to better protect your enterprise.
Although every effort has been made to provide the most useful and highest quality information, it is unfortunate but inevitable that some errors, omissions, and typographical mistakes will appear in these articles. Consequently, Affinity IT Security will not be responsible for any loss or damages resulting directly or indirectly from any error, misunderstanding, software defect, example, or misuse of any content herein.