CWE-261 口令使用弱密码学算法
Weak Cryptography for Passwords
结构: Simple
Abstraction: Variant
状态: Incomplete
被利用可能性: unkown
基本描述
Obscuring a password with a trivial encoding does not protect the password.
相关缺陷
-
cwe_Nature: ChildOf cwe_CWE_ID: 287 cwe_View_ID: 1000 cwe_Ordinal: Primary
-
cwe_Nature: ChildOf cwe_CWE_ID: 326 cwe_View_ID: 1000
-
cwe_Nature: ChildOf cwe_CWE_ID: 326 cwe_View_ID: 699
适用平台
Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}
常见的影响
范围 | 影响 | 注释 |
---|---|---|
Access Control | Gain Privileges or Assume Identity |
可能的缓解方案
策略:
Passwords should be encrypted with keys that are at least 128 bits in length for adequate security.
示例代码
例
The following code reads a password from a properties file and uses the password to connect to a database.
bad Java
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = Base64.decode(prop.getProperty("password"));
DriverManager.getConnection(url, usr, password);
...
This code will run successfully, but anyone with access to config.properties can read the value of password and easily determine that the value has been base 64 encoded. If a devious employee has access to this information, they can use it to break into the system.
例
The following code reads a password from the registry and uses the password to create a new network credential.
bad C#
string value = regKey.GetValue(passKey).ToString();
byte[] decVal = Convert.FromBase64String(value);
NetworkCredential netCred = newNetworkCredential(username,decVal.toString(),domain);
...
This code will run successfully, but anyone who has access to the registry key used to store the password can read the value of password. If a devious employee has access to this information, they can use it to break into the system.
Notes
分类映射
映射的分类名 | ImNode ID | Fit | Mapped Node Name |
---|---|---|---|
7 Pernicious Kingdoms | Password Management: Weak Cryptography | ||
OWASP Top Ten 2004 | A8 | CWE More Specific | Insecure Storage |
相关攻击模式
- CAPEC-55
引用
文章来源于互联网:scap中文网
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论