Mitigating OWASP Web Application Risk: Cryptographic Failures using F5 BIG-IP

Introduction

In today’s digital world, where personal, financial, and confidential information is constantly being transmitted online, protecting that data is more important than ever. One of the essential ways to keep this information safe is through cryptography, a method of converting information into a secure format that can only be read by someone with the right key.

However, when encryption is implemented incorrectly or neglected altogether, it leads to what’s known as a cryptographic failure. Let’s take a closer look at what cryptographic failures are, how they happen, and why they matter.

What Are Cryptographic Failures?

A cryptographic failure occurs when sensitive data isn’t properly protected, making it vulnerable to attackers. This can happen in various ways, such as:

Using weak, outdated, or broken encryption algorithms (like MD5 or SHA-1)
Improper key management, such as storing cryptographic keys in plain text or hardcoding them into the source code
Failing to encrypt sensitive data both at rest (when stored) and in transit (when being sent over the internet)
Exposing sensitive data over unsecured connections like HTTP instead of HTTPS
Using encryption without following recommended security standards and best practices

These oversights and mistakes leave personal data like passwords, credit card numbers, health records, and personal identifiers open to theft, tampering, and unauthorized access.

Example Scenario:

A common example of a cryptographic failure occurs when a user connects to an open, unsecured Wi-Fi network such as those found in coffee shops or airports and accesses a website that transmits sensitive information over HTTP instead of HTTPS. In this scenario, an attacker on the same network can easily intercept network traffic using tools like Wireshark or tcpdump. If the website uses HTTP to transmit login credentials, those details, including usernames and passwords are sent in plaintext. The attacker can capture and read this data directly from the network traffic, leading to credential theft. This is a classic case of a cryptographic failure, as the website fails to use proper encryption mechanisms (namely, HTTPS) to protect sensitive information in transit.

Attack Demonstration:

For this attack demonstration, we are going to use a simple demo web application running on HTTP.This application is added as a pool member to BIG-IP and for more information on how to configure a pool, refer to how to add pool member.

A user connected to public /open network tries to login to this application. The data which the user is sending to the application is transmitted as plain text since the application is running on HTTP. An attacker on the same network can easily intercept network traffic using tools like Wireshark. Since the application uses HTTP to transmit login credentials, details including usernames and passwords are sent in plaintext and an attacker will be able to read them.

Mitigation using BIG-IP Advanced WAF:

Login to BIG-IP console, Navigate to Local Traffic > Virtual Server List > create a new virtual server with below configurations.

Destination Address Mask: IP address of BIG-IP

Service port: Any tcp port

SSL Profile (client): clientssl

Source Address Translation: Automap

Default Pool: Pool to which application is added as a pool member

Now the application can be accessed through a BIG-IP virtual server. Since the virtual server is running on HTTPS, all the traffic that is sent through the network is encrypted. This makes it very hard for the attacker to read the data.

Conclusion

Cryptographic failures are often silent threats—unnoticed until it’s too late. Weak encryption, poor key management, or unsecured data transmission can open the door to serious breaches. This article covers what cryptographic failures are, how they happen, and how they can be mitigated using BIG-IP.