Cryptographic Failure
Scenario #1: SQL Injection and Automatic Database Decryption
An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text.
Consequence: SQL injection allows attackers to retrieve credit card numbers in clear text.
Scenario #2: Weak Encryption and Session Hijacking
A site does not use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g., at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's personal data. Instead of the above they could alter all transported data, e.g., the recipient of a money transfer.
Consequence: Attackers can intercept network traffic and steal session cookies, allowing them to hijack user accounts or manipulate financial transfers.
Scenario #3: Unsalted Hashes and Rainbow Tables
The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.
Consequence: Attackers can easily crack passwords using precomputed hash values (rainbow tables).