CWE-311: Missing Encryption of Sensitive Data
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product does not encrypt sensitive or critical information before storage or transmission.
常见后果
影响范围: Confidentiality
技术影响: Read Application Data
说明: If the application does not use a secure channel, such as SSL, to exchange sensitive information, it is possible for an attacker with access to the network traffic to sniff packets from the connection and uncover the data. This attack is not technically difficult, but does require physical access to some portion of the network over which the sensitive data travels. This access is usually somewhere near where the user is connected to the network (such as a colleague on the company network) but can be anywhere along the path from the user to the end server.
影响范围: Confidentiality Integrity
技术影响: Modify Application Data
说明: Omitting the use of encryption in any program which transfers data over a network of any kind should be considered on par with delivering the data sent to each user on the local networks of both the sender and receiver. Worse, this omission allows for the injection of data into a stream of communication between two parties -- with no means for the victims to separate valid data from invalid. In this day of widespread network attacks and password collection sniffers, it is an unnecessary risk to omit encryption from the design of any system which might benefit from it.
潜在缓解措施
阶段: Requirements
描述: Clearly specify which data or resources are valuable enough that they should be protected by encryption. Require that any transmission or storage of this data/resource should use well-vetted encryption algorithms.
阶段: Architecture and Design
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Architecture and Design
策略: Separation of Privilege
阶段: Implementation Architecture and Design
描述: When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.
阶段: Implementation
策略: Attack Surface Reduction
描述: Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible.
有效性: Defense in Depth
检测方法
方法: Manual Analysis
The characterizaton of sensitive data often requires domain-specific understanding, so manual methods are useful. However, manual efforts might not achieve desired code coverage within limited time constraints. Black box methods may produce artifacts (e.g. stored data or unencrypted network transfer) that require manual evaluation.
有效性: High
方法: Automated Analysis
Automated measurement of the entropy of an input/output source may indicate the use or lack of encryption, but human analysis is still required to distinguish intentionally-unencrypted data (e.g. metadata) from sensitive data.
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: High
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: SOAR Partial
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2009-2272
password and username stored in cleartext in a cookie
参考: CVE-2009-1466
password stored in cleartext in a file with insecure permissions
参考: CVE-2009-0152
chat program disables SSL in some circumstances even when the user says to use SSL.
参考: CVE-2009-1603
Chain: product uses an incorrect public exponent when generating an RSA key, which effectively disables the encryption
参考: CVE-2009-0964
storage of unencrypted passwords in a database
参考: CVE-2008-6157
storage of unencrypted passwords in a database
参考: CVE-2008-6828
product stores a password in cleartext in memory
参考: CVE-2008-1567
storage of a secret key in cleartext in a temporary file
参考: CVE-2008-0174
SCADA product uses HTTP Basic Authentication, which is not encrypted
参考: CVE-2007-5778
login credentials stored unencrypted in a registry key
参考: CVE-2002-1949
Passwords transmitted in cleartext.
参考: CVE-2008-4122
Chain: Use of HTTPS cookie without "secure" flag causes it to be transmitted across unencrypted HTTP.
参考: CVE-2008-3289
Product sends password hash in cleartext in violation of intended policy.
参考: CVE-2008-4390
Remote management feature sends sensitive information including passwords in cleartext.
参考: CVE-2007-5626
Backup routine sends password in cleartext in email.
参考: CVE-2004-1852
Product transmits Blowfish encryption key in cleartext.
参考: CVE-2008-0374
Printer sends configuration information, including administrative password, in cleartext.
参考: CVE-2007-4961
Chain: cleartext transmission of the MD5 hash of password enables attacks against a server that is susceptible to replay (CWE-294).
参考: CVE-2007-4786
Product sends passwords in cleartext to a log server.
参考: CVE-2005-3140
Product sends file with cleartext passwords in e-mail message intended for diagnostic purposes.
引入模式
| 阶段 | 说明 |
|---|---|
| Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
| Operation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| CLASP | - | Failure to encrypt data | - |
| OWASP Top Ten 2007 | A8 | Insecure Cryptographic Storage | CWE More Specific |
| OWASP Top Ten 2007 | A9 | Insecure Communications | CWE More Specific |
| OWASP Top Ten 2004 | A8 | Insecure Storage | CWE More Specific |
| WASC | 4 | Insufficient Transport Layer Protection | - |
| The CERT Oracle Secure Coding Standard for Java (2011) | MSC00-J | Use SSLSocket rather than Socket for secure data exchange | - |
| Software Fault Patterns | SFP23 | Exposed Data | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 4.1 | - |
| ISA/IEC 62443 | Part 3-3 | Req SR 4.3 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 4.1 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 7.3 | - |
| ISA/IEC 62443 | Part 4-2 | Req CR 1.5 | - |
关键信息
CWE ID: CWE-311
抽象级别: Class
结构: Simple
状态: Draft
利用可能性: High