Merge pull request #490 from bugcrowd/VRT-update-Aug23-7

Addition of Key Reuse

submissions/description/cryptographic_weakness/key_reuse/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the key reuse, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/key_reuse/inter-environment/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the inter-environment key reuse, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/key_reuse/inter-environment/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement strong cryptography and keep up to date algorithms, protocols, and keys in place. Best practices include ensuring that the application does not reuse keys across different trust zones.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/key_reuse/inter-environment/template.md

@@ -0,0 +1,22 @@
+# Inter-Environment Key Reuse
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys across different environment (inter-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the inter-environment key reuse:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/key_reuse/intra-environment/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the intra-environment key reuse, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/key_reuse/intra-environment/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement strong cryptography and keep up to date algorithms, protocols, and keys in place. Best practices include ensuring that the application does not reuse keys.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/key_reuse/intra-environment/template.md

@@ -0,0 +1,22 @@
+# Intra-Environment Key Reuse
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys within the same environment (intra-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the  intra-environment key reuse:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the lack of perfect forward secrecy, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement strong cryptography and keep up to date algorithms, protocols, and keys in place. Best practices include ensuring that perfect forward secrecy is enabled for all implemented encryption protocols.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md

@@ -0,0 +1,22 @@
+# Lack of Perfect Forward Secrecy
+
+## Overview of the Vulnerability
+
+It was identified that the application's cryptographic mechanism lacks the use of Perfect Forward Secrecy (PFS). PFS involves the negotiation of an ephemeral key pair for each newly create session between two parties. Without PFS, an attacker would be able to compromise all past and future sessions based on a set of keys that they can decrypt. They can then leverage the keys to gain access to information or privileges within the application that are protected by the same key.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the lack of PFS:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/key_reuse/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement strong cryptography and keep up to date algorithms, protocols, and keys in place. Best practices include ensuring that the application does not reuse keys across different trust zones.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/key_reuse/template.md

@@ -0,0 +1,22 @@
+# Key Reuse
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys. This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the key reuse:
+
+{{screenshot}}