This article describes Cryptographic failures and how to prevent/ fix the exposure of sensitive data in your applications.
Read more at: Cryptographic Failures - OWASP Documentation
Actions by GeneXus
Actions by Developers
-
If a shared secret is needed, it must be hashed before being saved to a file or database.
-
Use a secure hash function. The use of SHA2 256 or 512 is recommended.
-
Cipher the data on the application layer.
-
Cipher the cipher key. For this, the GeneXus Site Key can be used. The use of AES with 128 or 256-bit keys is recommended.
-
Avoid storing sensitive data in logs. If it is unavoidable, the sensitive data must be hashed or masked.
-
Avoid storing sensitive data in intermediate files. Consider using HttpResponse data type to write and send the data directly instead. If it is unavoidable, verify that those files are erased from the server after being sent.
-
Configure the application server with the minimum permission required and avoid exposing the Temp media directory and/or other temp directories by HTTP/HTTPS.
-
Use secure channels.
-
Use HTTPS strictly, even for static content.
-
Use LDAPS instead of LDAP.
-
Use TLS or WS-Security for server-to-server communication or other shared resources.
-
Use valid certificates.
-
Avoid weak cipher algorithms.
-
Avoid sending sensitive data to the browser if it is not needed. Avoid hidden content with sensitive data on forms. Select the necessary information on the server side.
-
Security Scanner - Detections:
-
Shared secrets: Checking IsPassword property use (#119).
-
Intermediate files: Check Parameterless LINK Command on source code (#104); checking for variables of HttpResponse type (#109); checking for variables of Directory type (#111); checking for variables of File type (#112); check use of PathToUrl on source code (#132).
Actions by GeneXus
Actions by Developers
-
If the HttpResponse data type is used to create a custom web page, the developer must specify if the response is public, if it can be cached, and for how long.
Since
GeneXus 18 upgrade 1.