OWASP_TOP10A02:2021voice-validated
OWASP_TOP10 A02: A02:2021
OWASP_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Failures related to cryptography (or the lack thereof) which often lead to exposure of sensitive data. Includes transmission of data in clear text, use of weak or outdated cryptographic algorithms, use of default or weak crypto keys, no enforcement of encryption (missing HSTS), poor entropy, and improper use of deprecated functions.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1552.001 | 1. Attackers exploit sensitive data (credentials) stored in cleartext or weakly encrypted files, directly addressing A02:2021's concern with cryptography failures leading to data exposure. | 90% |
| T1552.002 | 1. Sensitive data (credentials) stored in cleartext or weakly encrypted registry keys are vulnerable, aligning with A02:2021's focus on inadequate cryptographic protection. | 90% |
| T1552.004 | 1. Private keys stored without strong encryption or in cleartext represent a critical cryptography failure, as highlighted by A02:2021 regarding weak crypto keys. | 90% |
| T1003.001 | 1. If LSASS memory contains weakly protected credentials, it indicates a failure in cryptographic protection of sensitive data in memory, a direct concern of A02:2021. | 80% |
| T1003.002 | 1. A weakly protected Security Account Manager (SAM) database allows credential dumping, reflecting A02:2021's emphasis on inadequate protection of sensitive authentication data. | 80% |
| T1005 | 1. Collecting sensitive data that is not encrypted on local systems directly results from the 'lack thereof' encryption, a core issue in A02:2021. | 90% |
| T1039 | 1. Sensitive data collected from network shared drives lacking encryption exemplifies the 'transmission of data in clear text' and 'no enforcement of encryption' cited in A02:2021. | 90% |
| T1041 | 1. Exfiltrating sensitive data over an unencrypted C2 channel directly relates to 'transmission of data in clear text' and 'no enforcement of encryption' as per A02:2021. | 80% |
| T1048.003 | 1. Exfiltration using protocols that lack encryption or use weak encryption directly aligns with A02:2021's concern for cleartext transmission and weak cryptographic algorithms. | 80% |
| T1071.001 | 1. Using unencrypted HTTP for sensitive communications is a clear instance of 'transmission of data in clear text' and 'no enforcement of encryption', as stated in A02:2021. | 90% |
| T1071.002 | 1. Using unencrypted FTP for sensitive data transfer represents a 'transmission of data in clear text' failure, directly addressed by A02:2021. | 90% |
| T1083 | 1. Discovering sensitive files stored unencrypted or with weak encryption facilitates data exposure, a primary outcome of cryptography failures in A02:2021. | 80% |
| T1562.001 | 1. Disabling or modifying encryption tools or configurations directly leads to 'no enforcement of encryption' or 'weak cryptographic algorithms', as described in A02:2021. | 70% |
| T1565.001 | 1. Modifying sensitive stored data due to weak integrity protection (weak crypto) is a direct consequence of 'weak or outdated cryptographic algorithms' and 'improper use of deprecated functions' in A02:2021. | 70% |
| T1565.002 | 1. Modifying sensitive transmitted data due to weak integrity protection (weak crypto) reflects 'transmission of data in clear text' or 'weak cryptographic algorithms' from A02:2021. | 70% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1. Network segmentation limits the exposure of sensitive data, reducing the impact of 'transmission of data in clear text' by restricting access to vulnerable segments, as per A02:2021. | 80% |
| M1032 | 1. Multi-factor authentication protects against credential theft, even if 'weak crypto keys' or 'unsecured credentials' (A02:2021) are present, by adding an extra layer of security. | 70% |
| M1035 | 1. Limiting network access to resources containing sensitive data reduces the attack surface for exploiting 'no enforcement of encryption' or 'cleartext transmission' (A02:2021). | 80% |
| M1037 | 1. Filtering network traffic can block unencrypted or weakly encrypted communications, directly addressing 'transmission of data in clear text' and 'weak cryptographic algorithms' in A02:2021. | 80% |
| M1040 | 1. Data encryption directly addresses the core issue of A02:2021 by mandating strong encryption for data at rest and in transit, preventing 'transmission of data in clear text' and 'exposure of sensitive data'. | 100% |
| M1042 | 1. Disabling or removing insecure protocols or cryptographic functions prevents 'use of weak or outdated cryptographic algorithms' and 'improper use of deprecated functions' as specified in A02:2021. | 90% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-326 | 1. Inadequate encryption strength directly corresponds to A02:2021's mention of 'weak or outdated cryptographic algorithms' and 'weak crypto keys'. | 100% |
| CWE-327 | 1. Use of a broken or risky cryptographic algorithm is explicitly covered by A02:2021's 'weak or outdated cryptographic algorithms' and 'improper use of deprecated functions'. | 100% |
| CWE-311 | 1. Missing encryption of sensitive data directly aligns with A02:2021's 'transmission of data in clear text' and 'no enforcement of encryption'. | 100% |
| CWE-319 | 1. Cleartext transmission of sensitive information is a direct match for A02:2021's 'transmission of data in clear text'. | 100% |
| CWE-338 | 1. Use of cryptographically weak pseudo-random number generators (PRNG) directly relates to A02:2021's concern about 'poor entropy'. | 90% |
| CWE-321 | 1. Use of hard-coded cryptographic keys directly contributes to A02:2021's 'use of default or weak crypto keys'. | 90% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0186 compute · voice-rubric self-validated