保護DataHogo
Security Encyclopedia/OWASP Web Top 10
highCWE-327A02:2021

Cryptographic Failures

Sensitive data is exposed due to weak or missing encryption — using outdated algorithms like MD5/SHA1, storing passwords in plaintext, or transmitting data without TLS.

How It Works

Cryptographic failures occur when sensitive data isn't properly protected. This includes using weak hashing algorithms (MD5, SHA1) for passwords, storing data in plaintext, missing HTTPS, or using broken encryption. Attackers who intercept network traffic or gain database access can read everything. Even hashed data is vulnerable if weak algorithms are used — MD5 can be cracked in seconds with rainbow tables.

Vulnerable Code
const crypto = require('crypto');
const hash = crypto.createHash('md5')
  .update(password).digest('hex');
await db.users.create({ email, password: hash });
Secure Code
const bcrypt = require('bcrypt');
const hash = await bcrypt.hash(password, 12);
await db.users.create({ email, password: hash });

Real-World Example

Adobe's 2013 breach exposed 153 million user records. Passwords were encrypted with 3DES in ECB mode (not hashed), making them trivially reversible. Millions of passwords were cracked within days.

How to Prevent It

  • Use bcrypt, scrypt, or Argon2 for password hashing
  • Never use MD5 or SHA1 for security purposes
  • Enforce HTTPS everywhere with HSTS headers
  • Encrypt sensitive data at rest using AES-256-GCM

Affected Technologies

Node.jsReactNext.jsPythonGoJavaPHPC#

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Broken Access Control

high

Users can act outside their intended permissions, accessing other users' data or admin functionality without proper authorization checks.

CWE-284A01:2021

Supply Chain Failures

medium

Your application inherits vulnerabilities from third-party dependencies — outdated packages with known CVEs that attackers actively exploit.

CWE-1395A06:2021

Security Misconfiguration

medium

Default configurations, open CORS policies, debug mode in production, or verbose error messages expose your application to attackers.

CWE-16A05:2021

Injection (SQL, NoSQL, Command)

critical

Attacker inserts malicious code into queries or commands by exploiting unsanitized user input — SQL injection, NoSQL injection, and OS command injection.

CWE-89A03:2021