Unencrypted password form

Medium Web Application Scanning Plugin ID 98082

Synopsis

Unencrypted password form

Description

The HTTP protocol by itself is clear text, meaning that any data that is
transmitted via HTTP can be captured and the contents viewed.

To keep data private, and prevent it from being intercepted, HTTP is often
tunnelled through either Secure Sockets Layer (SSL), or Transport Layer Security
(TLS).
When either of these encryption standards are used it is referred to as HTTPS.

Cyber-criminals will often attempt to compromise credentials passed from the
client to the server using HTTP.
This can be conducted via various different Man-in-The-Middle (MiTM) attacks or
through network packet captures.

Scanner discovered that the affected page contains a `password` input, however,
the value of the field is not sent to the server utilising HTTPS. Therefore it
is possible that any submitted credential may become compromised.

Solution

The affected site should be secured utilising the latest and most secure encryption protocols. These include SSL version 3.0 and TLS version 1.2. While TLS 1.2 is the latest and the most preferred protocol, not all browsers will support this encryption method. Therefore, the more common SSL is included. Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should also be disabled.

See Also

http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection

Plugin Details

Severity: Medium

ID: 98082

Type: remote

Published: 2017/03/31

Modified: 2017/10/16

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3.0

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference Information