Merge pull request #485 from bugcrowd/VRT-update-Aug23-2

Addition of Insufficient Entropy Subcategory and Variants

submissions/description/cryptographic_weakness/insufficient_entropy/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified insufficient entropy, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the initialization vector reuse, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to use different initialization vectors for multiple invocations of encryption routines.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md

@@ -0,0 +1,22 @@
+# Initialization Vector (IV) Reuse
+
+## Overview of the Vulnerability
+
+Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is reused for multiple encryptions, an attacker can identify the IV from the original data within the encryption.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the initialization vector reuse:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified insufficient entropy, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to use multiple sources of entropy to generate random numbers so that they are not easily guessed.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md

@@ -0,0 +1,22 @@
+# Limited Random Number Generator (RNG) Entropy Source
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of a Random Number Generator (RNG) was identified which can create predictable random numbers. This can allow an attacker to guess the session ID or cryptographic key and gain access to restricted data or functionality.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the insufficient entropy of the RNG:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the initialization vector reuse, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to use different initialization vectors for multiple invocations of encryption routines to ensure they aren't predictable.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md

@@ -0,0 +1,22 @@
+# Predictable Initialization Vector (IV)
+
+## Overview of the Vulnerability
+
+Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is predictable, an attacker can identify the IV from the original data within the encryption.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the predictability of the initialization vector:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the predictable PRNG seed, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to use randomly generated seed values drawn from high entropy sources, such as the output of another PRNG.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md

@@ -0,0 +1,22 @@
+# Predictable Pseudo-Random Number Generator (PRNG) Seed
+
+## Overview of the Vulnerability
+
+A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is predictable in full or in part, it is possible to determine the random numbers produce by the PRNG. The PRNG seed value is predictable, allowing an attacker to guess the random numbers  generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the PRNG seed reuse:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified insufficient entropy, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to not use the same seed value for multiple invocations of PRNG initialization.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md

@@ -0,0 +1,22 @@
+# Pseudo-Random Number Generator (PRNG) Seed Reuse
+
+## Overview of the Vulnerability
+
+A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is known, it is possible to determine the random numbers produce by the PRNG. An attacker with access to the seed value can predict or guess the random numbers which can lead to unauthorized access if that seed value is used for authorization and authentication.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the PRNG seed reuse:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to use cryptographically strong random number generators so that the random numbers are not easily guessed.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the small seed space in the PRNG, how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. It is also best practice to ensure that the length of the PRNG seed is sufficiently large (in bit size) to render brute force attacks infeasible.
+
+For more information, refer to the following resource:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md

@@ -0,0 +1,22 @@
+# Small Seed Space in Pseudo-Random Number Generator (PRNG)
+
+## Overview of the Vulnerability
+
+A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is small in size, it is possible to bruteforce all possible seeed values. An attacker who can guess the seed value can predict or guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the small seed space in the PRNG:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/template.md

@@ -0,0 +1,22 @@
+# Insufficient Entropy
+
+## Overview of the Vulnerability
+
+Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of cryptographic algorithm generation was identified which can allow an attacker to break the confidentiality of requests sent to and from the endpoint.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the insufficient entropy:
+
+{{screenshot}}

submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/guidance.md

@@ -0,0 +1,5 @@
+# Guidance
+
+Provide a step-by-step walkthrough with a screenshot on how you exploited the vulnerability. This will speed triage time and result in faster rewards. Please include specific details on where you identified the use of a TRNG for a non-security purpose. Including details on how you identified it, and what actions you were able to perform as a result.
+
+Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).

submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/recommendations.md

@@ -0,0 +1,7 @@
+# Recommendation(s)
+
+Implement robust entropy for the cryptographic algorithms and ensure that the algorithms, protocols, and keys in place are kept up to date. Only draw from TRNGs for security purposes when entropy is needed.
+
+For more information, refer to the following resources:
+
+- <https://owasp.org/Top10/A02_2021-Cryptographic_Failures/>

submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md

@@ -0,0 +1,22 @@
+# Use of True Random Number Generator (TRNG) for Non-Security Purpose
+
+## Overview of the Vulnerability
+
+Most True Random Number Generators (TRNG) have a finite limit to their random number generation rate. Therefore, a TRNG should only be used when entropy is required for security purposes. When an application draws from a TRNG for a non-security purpose, it depletes the entropy of the source, increasing the likelihood that an attacker would be able to predict of guess number generated.
+
+## Business Impact
+
+This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application.
+
+## Steps to Reproduce
+
+1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP
+1. Setup {{software}} to intercept and log requests
+1. Use a browser to navigate to: {{URL}}
+1. {{action}} to view unencrypted requests
+
+## Proof of Concept (PoC)
+
+The screenshot below demonstrates the True Random Number Generator being used for a non-security purpose:
+
+{{screenshot}}