Comments (7)
I am in favor of option 2 unless a good case can be made against it.
from vulnerability-rating-taxonomy.
+1 for option 2
from vulnerability-rating-taxonomy.
+1 for option 2 as well
from vulnerability-rating-taxonomy.
agree for the option 2
from vulnerability-rating-taxonomy.
I'm not sure I agree with either option. "Defeatable Cryptography" is a bit generic, but more importantly, there is very little difference between passwords stored as plaintext and, for example, passwords stored as unsalted MD5 hashes - a database using the latter can usually be cracked up to 90% in a very short amount of time, and up to 99%+ with some effort and more time. Another example would be passwords stored encrypted (rather than hashed), in which case if, the attacker can also recover the encryption key, the whole database can be instantly "cracked".
To sum it up, I'm not convinced it is the right thing to differentiate between plaintext / non-plaintext, and think a different metric should be used.
from vulnerability-rating-taxonomy.
Thanks for chipping in @truemongo. We're definitely on the same page, but at the same time we are facing a problem of maintaining a concise and effective crowdsourced vulnerability taxonomy. Plaintext password storage entry leaves no room for misinterpretation, but there's no straightforward way to classify other weak password storage implementations, hence the proposal of having a catch all P5 entry (option 2), that can be upgraded on a case by case basis or simply not having it at all (option 1).
Other than no salt or exposed encryption key, it is difficult to draw a line between weak and good enough password storage cryptography. To name a few: exposed salt, weak salt, fake encryption, weak hashing/encryption algorithm, or even lack of PBDKF etc. It doesn't seem to be practical (or foolproof) to address all of possible variants and so far the two options mentioned above are the only reasonable ones. We would love to hear if you have any suggestions though.
from vulnerability-rating-taxonomy.
After consulting with the team we have decided to add just one entry:
Insecure Data Storage->Server-Side Credentials Storage->Plaintext (P4)
This solution while not disincentivizing submissions of potentially valid weak cryptographic implementations will also leave the doors open for any future variants.
from vulnerability-rating-taxonomy.
Related Issues (20)
- BAC -> IDORs in Different impacts HOT 4
- Removing "Broken Access Control (BAC) > Server-Side Request Forgery (SSRF) > External" HOT 5
- Why application wide CORS misconfiguration is not a p2???? HOT 1
- Request to add LDAP Injection as Bugcrowd VRT HOT 11
- Depreciation of IE11 HOT 4
- Disposable Email Addresses - invalid HOT 5
- Privilege Escalation as a subcategory of Broken Access Controls HOT 7
- Addition - Failure to Invalidate Session On Permission Change HOT 3
- HTTP Request Smuggling HOT 2
- Addition - HTML Content Injection HOT 1
- Update - PII Leakage updated to Sensitive Information Leak HOT 3
- Why Blind XSS can't be P1 While Massive PII is leakage? HOT 1
- SSRF as it's own top-category HOT 2
- infinite 301 HOT 4
- Text injection - needs higher priority HOT 4
- Content spoofing - needs higher priority HOT 1
- New IDOR Variants HOT 10
- Change of "Sensitive Data Exposure > Disclosure of Secretes > Intentionally Public, Sample or Invalid"
- Add unnecessary open port on server misconfiguration in P1 HOT 1
- Add LLM VRT Entries HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vulnerability-rating-taxonomy.