CWE-311: Missing Encryption of Sensitive Data

Overview

Missing Encryption occurs when sensitive data is transmitted or stored without proper cryptographic protection, exposing it to unauthorized access or interception.

OWASP Classification

A06:2025 - Insecure Design

Risk

High: Attackers can intercept, read, or modify sensitive data in transit or at rest, leading to data breaches, privacy violations, or regulatory non-compliance.

Remediation Steps

Core principle: Encrypt sensitive data at rest when exposure is plausible; treat storage as untrusted.

Locate the missing encryption in your application

• Review the flaw details to identify the specific file, line number, and code pattern
• Identify what sensitive data is unencrypted (passwords, PII, financial data, session tokens, API keys)
• Trace the data flow: is it in transit (network communication) or at rest (storage, database, files)
• Determine the exposure: who can access this unencrypted data (network attackers, file system access, database dump)

Encrypt sensitive data in transit (Primary Defense)

• Use TLS 1.2+ for all network communications: HTTPS for web traffic, TLS for database connections, secure WebSocket (wss://)
• Enforce HTTPS for web applications: Redirect all HTTP to HTTPS (301 redirect), use HSTS header (Strict-Transport-Security: max-age=31536000)
• Encrypt internal communications: Use TLS for service-to-service calls, mTLS for authentication, SSL/TLS for message queues
• Never transmit sensitive data over HTTP: Passwords, session tokens, PII, credit cards must use HTTPS
• Secure database connections: PostgreSQL sslmode=require, MySQL require_secure_transport=ON, MongoDB ssl=true

Encrypt sensitive data at rest

• Use strong encryption algorithms: AES-256-GCM for data encryption, AES-256-CBC with HMAC for legacy systems
• Encrypt database fields: Use database-level encryption (Transparent Data Encryption) or application-level encryption (encrypt before INSERT)
• Encrypt files containing sensitive data: Config files with credentials, backup files, log files with PII
• Use full-disk encryption: Enable BitLocker (Windows), FileVault (macOS), LUKS (Linux) for storage devices
• Encrypt cloud storage: Use server-side encryption (S3 SSE-KMS, Azure Storage Encryption) or client-side encryption

Implement secure key management

• Protect encryption keys: Use key management systems (AWS KMS, Azure Key Vault, HashiCorp Vault), never hardcode keys in source code
• Use vetted cryptographic libraries: OpenSSL, Java JCA, .NET System.Security.Cryptography, Python cryptography, Node.js crypto
• Avoid weak or custom cryptography: Don't use DES, 3DES, RC4, or homegrown algorithms
• Rotate encryption keys: Implement key rotation policies (annually or after breach)
• Separate keys from data: Store keys in different system/service than encrypted data

Monitor and audit encryption usage

• Regularly review encryption configurations (TLS versions, cipher suites, key strengths)
• Log encryption failures or suspicious access (decryption errors, key access logs)
• Scan codebase for unencrypted sensitive data transmission (grep for 'http://', plaintext passwords)
• Monitor certificate expiration and renewal (SSL certificate monitoring tools)
• Track compliance with encryption policies (PCI-DSS, HIPAA, GDPR requirements)

Test the encryption implementation thoroughly

• Verify sensitive data is encrypted in transit (use network sniffer to confirm TLS usage)
• Verify sensitive data is encrypted at rest (inspect database, files to confirm ciphertext)
• Test with security scanning tools (SSL Labs for HTTPS configuration, SAST scanners for code)
• Verify decryption works correctly for legitimate users
• Re-scan with security scanner to confirm the issue is resolved

Common Vulnerable Patterns

• Transmitting sensitive data over HTTP or unencrypted channels
• Storing passwords or PII in plaintext
• Using weak or deprecated algorithms (e.g., DES, RC4)

Unencrypted Transmission of Sensitive Data (Python)

# Sends sensitive data over HTTP
requests.post('http://example.com/api', data=sensitive_data)
# Attack: Network eavesdropper intercepts plaintext data

Secure Patterns

HTTPS Encryption for Data in Transit (Python)

# Sends sensitive data over HTTPS with certificate verification
requests.post(
    'https://example.com/api', 
    data=sensitive_data,
    verify=True  # Verify SSL certificate (default)
)
# Additionally, enforce TLS 1.2+ and reject weak ciphers

Why this works:

• Uses HTTPS (TLS/SSL) to encrypt data in transit, preventing eavesdropping and man-in-the-middle attacks
• Protects sensitive data (passwords, credit cards, PII) from network interception on untrusted networks
• Certificate verification ensures communication with legitimate server, not attacker impersonator
• Modern TLS (1.2+) provides strong encryption algorithms (AES-GCM) and forward secrecy
• Combined with data-at-rest encryption, provides comprehensive data protection throughout lifecycle

Additional Resources

• CWE-311: Missing Encryption of Sensitive Data
• OWASP Cryptographic Storage Cheat Sheet
• OWASP Top 10 2025 A06: Insecure Design