CWE-311: Missing Encryption of Sensitive Data
Learn about CWE-311 (Missing Encryption of Sensitive Data), its security impact, exploitation methods, and prevention guidelines.
What is Missing Encryption of Sensitive Data?
• Overview: Missing Encryption of Sensitive Data occurs when a software application fails to encrypt sensitive or critical information before storing or transmitting it, leaving the data vulnerable to unauthorized access.
• Exploitation Methods:
- Attackers can intercept unencrypted data during transmission using network sniffing tools.
- Exploitations may involve accessing stored data directly if it is left unprotected in databases or file systems.
- Common attack patterns include man-in-the-middle attacks and unauthorized data extraction.
• Security Impact:
- Direct consequences include unauthorized access to sensitive information such as personal data, credentials, or financial information.
- Potential cascading effects include identity theft, data breaches, and loss of customer trust.
- Business impact may involve legal penalties, financial losses, and reputational damage.
• Prevention Guidelines:
- Specific code-level fixes include implementing strong encryption protocols like AES for data at rest and TLS for data in transit.
- Security best practices involve regularly updating encryption algorithms and configurations to protect against vulnerabilities.
- Recommended tools and frameworks include using established libraries and APIs for encryption, such as OpenSSL or Bouncy Castle, to avoid implementing encryption from scratch.
Corgea can automatically detect and fix Missing Encryption of Sensitive Data in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Not specified
Vulnerable Code Example
const axios = require('axios');
function sendSensitiveData(data) {
// Vulnerability: Sending sensitive data over HTTP without encryption
// This exposes the data to interception by unauthorized parties
axios.post('http://example.com/api', data)
.then(response => console.log(response))
.catch(error => console.error(error));
}
This JavaScript code example demonstrates a vulnerability where sensitive information is sent over an unencrypted HTTP connection. This practice can lead to data being intercepted by attackers, as HTTP does not provide encryption.
How to fix Missing Encryption of Sensitive Data?
To address this vulnerability in JavaScript, ensure that all sensitive data is transmitted over HTTPS. Using HTTPS ensures that data is encrypted using TLS, making it secure from interception. Verify that the endpoints are configured for HTTPS and have valid SSL certificates to prevent man-in-the-middle attacks.
Fixed Code Example
const axios = require('axios');
function sendSensitiveData(data) {
// Fix: Use HTTPS to secure data transmission
// HTTPS encrypts the data, preventing unauthorized interception
axios.post('https://example.com/api', data)
.then(response => console.log(response))
.catch(error => console.error(error));
}
Switching from "http" to "https" in the API endpoint ensures that the data is encrypted during transmission, significantly improving the security of sensitive information. This simple yet effective change helps prevent eavesdropping and unauthorized access to the transmitted data. Additionally, ensure that the server has a valid SSL certificate to establish a secure connection.