# A02 – Cryptographic Failures

## Vulnerabilities

1. Cleartext Transmission of Sensitive Data&#x20;
2. Insufficient Entropy
3. &#x20;Insecure Random Number Generation
4. &#x20;Padding Oracle Attack&#x20;
5. Use of Weak Ciphers&#x20;
6. Weak or Misconfigured Cryptographic Configurations
7. *Use of Hard-coded Password*
8. *Broken or Risky Crypto Algorithm*
9. The Heartbleed bug (OpenSSL versions 1.0.1 through 1.0.f)
10. The DROWN attack (SSLv2)

## CWEs

1. [CWE-261 Weak Encoding for Password](https://cwe.mitre.org/data/definitions/261.html)
2. [CWE-296 Improper Following of a Certificate's Chain of Trust](https://cwe.mitre.org/data/definitions/296.html)
3. [CWE-310 Cryptographic Issues](https://cwe.mitre.org/data/definitions/310.html)
4. [CWE-319 Cleartext Transmission of Sensitive Information](https://cwe.mitre.org/data/definitions/319.html)
5. [CWE-321 Use of Hard-coded Cryptographic Key](https://cwe.mitre.org/data/definitions/321.html)
6. [CWE-322 Key Exchange without Entity Authentication](https://cwe.mitre.org/data/definitions/322.html)
7. [CWE-323 Reusing a Nonce, Key Pair in Encryption](https://cwe.mitre.org/data/definitions/323.html)
8. [CWE-324 Use of a Key Past its Expiration Date](https://cwe.mitre.org/data/definitions/324.html)
9. [CWE-325 Missing Required Cryptographic Step](https://cwe.mitre.org/data/definitions/325.html)
10. [CWE-326 Inadequate Encryption Strength](https://cwe.mitre.org/data/definitions/326.html)
11. [CWE-327 Use of a Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html)
12. [CWE-328 Reversible One-Way Hash](https://cwe.mitre.org/data/definitions/328.html)
13. [CWE-329 Not Using a Random IV with CBC Mode](https://cwe.mitre.org/data/definitions/329.html)
14. [CWE-330 Use of Insufficiently Random Values](https://cwe.mitre.org/data/definitions/330.html)
15. [CWE-331 Insufficient Entropy](https://cwe.mitre.org/data/definitions/331.html)
16. [CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator(PRNG)](https://cwe.mitre.org/data/definitions/335.html)
17. [CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)](https://cwe.mitre.org/data/definitions/336.html)
18. [CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)](https://cwe.mitre.org/data/definitions/337.html)
19. [CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator(PRNG)](https://cwe.mitre.org/data/definitions/338.html)
20. [CWE-340 Generation of Predictable Numbers or Identifiers](https://cwe.mitre.org/data/definitions/340.html)
21. [CWE-347 Improper Verification of Cryptographic Signature](https://cwe.mitre.org/data/definitions/347.html)
22. [CWE-523 Unprotected Transport of Credentials](https://cwe.mitre.org/data/definitions/523.html)
23. [CWE-720 OWASP Top Ten 2007 Category A9 - Insecure Communications](https://cwe.mitre.org/data/definitions/720.html)
24. [CWE-757 Selection of Less-Secure Algorithm During Negotiation('Algorithm Downgrade')](https://cwe.mitre.org/data/definitions/757.html)
25. [CWE-759 Use of a One-Way Hash without a Salt](https://cwe.mitre.org/data/definitions/759.html)
26. [CWE-760 Use of a One-Way Hash with a Predictable Salt](https://cwe.mitre.org/data/definitions/760.html)
27. [CWE-780 Use of RSA Algorithm without OAEP](https://cwe.mitre.org/data/definitions/780.html)
28. [CWE-818 Insufficient Transport Layer Protection](https://cwe.mitre.org/data/definitions/818.html)
29. [CWE-916 Use of Password Hash With Insufficient Computational Effort](https://cwe.mitre.org/data/definitions/916.html)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://shahidulandshamim.gitbook.io/web-application/owasp-top-10-2021/a02-cryptographic-failures.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.