This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Insecure Transport"
From OWASP
Weilin Zhong (talk | contribs) |
Weilin Zhong (talk | contribs) (Added contents from Fortify.) |
||
Line 1: | Line 1: | ||
{{Template:Vulnerability}} | {{Template:Vulnerability}} | ||
+ | {{Template:Fortify}} | ||
+ | |||
+ | ==Abstract== | ||
+ | |||
+ | * The application configuration should ensure that SSL is used for all access controlled pages. | ||
==Description== | ==Description== | ||
− | + | If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. However, it is not a uncommon problem that the configuration of the application fails to enforce the use of SSL on pages that contain sensitive data. | |
+ | |||
+ | There are three common ways for SSL to be bypassed: | ||
+ | |||
+ | * A user manually enters URL and types "HTTP" rather than "HTTPS" | ||
+ | * Attackers intentionally send a user to an insecure URL | ||
+ | * A programmer erroneously creates a relative link to a page in the application, failing to switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.) | ||
==Examples == | ==Examples == | ||
Line 24: | Line 35: | ||
==Categories== | ==Categories== | ||
− | |||
− | |||
[[Category:Deployment]] | [[Category:Deployment]] |
Revision as of 18:08, 21 July 2006
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
Abstract
- The application configuration should ensure that SSL is used for all access controlled pages.
Description
If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. However, it is not a uncommon problem that the configuration of the application fails to enforce the use of SSL on pages that contain sensitive data.
There are three common ways for SSL to be bypassed:
- A user manually enters URL and types "HTTP" rather than "HTTPS"
- Attackers intentionally send a user to an insecure URL
- A programmer erroneously creates a relative link to a page in the application, failing to switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)
Examples
- Login pages are not SSL protected
- A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL.
Related Threats
- Attackers that are trying to steal login credentials, session ids or other sensitive information
Related Attacks
- Bypassing SSL by entering HTTP instead of HTTPS
- Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP