This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Insecure Transport"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) |
||
Line 2: | Line 2: | ||
==Description== | ==Description== | ||
+ | |||
+ | The configuration of the application fails to enforce the use of SSL on pages that contain sensitive data. | ||
==Examples == | ==Examples == | ||
+ | |||
+ | * Login pages are not SSL protected | ||
+ | * A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL. | ||
==Related Threats== | ==Related Threats== | ||
+ | |||
+ | * Attackers that are trying to steal login credentials, session ids or other sensitive information | ||
==Related Attacks== | ==Related Attacks== | ||
+ | |||
+ | * Bypassing SSL by entering HTTP instead of HTTPS | ||
+ | * Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP | ||
==Related Vulnerabilities== | ==Related Vulnerabilities== | ||
Line 22: | Line 32: | ||
[[Category:Environmental Problem]] | [[Category:Environmental Problem]] | ||
+ | |||
+ | [[Category:Communication]] | ||
+ | |||
+ | [[Category:SSL]] |
Revision as of 17:39, 29 June 2006
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Description
The configuration of the application fails to enforce the use of SSL on pages that contain sensitive data.
Examples
- Login pages are not SSL protected
- A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL.
Related Threats
- Attackers that are trying to steal login credentials, session ids or other sensitive information
Related Attacks
- Bypassing SSL by entering HTTP instead of HTTPS
- Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP
Related Vulnerabilities
Related Countermeasures
Categories
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.