A02: Cryptographic Failures
Simulating the risks of storing sensitive data like passwords without proper encryption.
Interactive Simulation
Enter a password, save it to the "database", and then simulate an attacker breaching it.
How to Simulate
- With the defense disabled, click 'Save Password'. Notice it's stored in plaintext in the database table.
- Click 'Simulate Database Breach'. The table dump shows the plaintext password is compromised.
- Enable the 'Use Strong Hashing' defense and save the password again. Note the stored value is now a hash.
- Simulate the breach again. Observe that the attacker only gets the user record with the hash, not the original password.
| id | username | password_storage |
|---|---|---|
| 1 | alice | NULL |
Explanation
This vulnerability, previously known as "Sensitive Data Exposure," covers failures related to cryptography. Storing passwords in plaintext is a critical example. If an attacker breaches the database, they have immediate access to all user credentials.
The correct approach is to use a strong, adaptive, salted hashing algorithm like bcrypt. This converts the password into a fixed-length, irreversible hash. Even if the database is breached, the attacker only gets the hashes, which are computationally difficult to reverse.
Toggle Defense
When enabled, the password is not stored directly. Instead, a one-way hash is generated and stored.