This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-003)
This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project
Brief Summary
Sensitive data must be protected when it is transmitted through the network. If data is transmitted over HTTPS or encrypted in another way the protection mechanist must have not limitations and vulnerabilities, as explained in the broader article "Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection" [1] and in other OWASP documentation [2], [3], [4], [5].In fact consider adding a security control or safeguard is an addition to the attack surface. However a specific test is needed to ensure if the control is missing and sensitive data is transmitted via unencrypted channel. As a rule of thumb if data must be protected when it is stored, it must be protected also during transmission. Such as:
- Information used in Authentication (e.g. Credentials, PINs, Session Ids, Tokens, Cookies…)
- Information protected by Laws, Regulations or specific Organization’s Policy (e.g. Credit Cards, Customers data)
Description of the Issue
If the application transmits sensitive information via unencrypted channels - e.g. HTTP - it is a vulnerability. Typically it is possible to find BASIC authentication over HTTP, input password sent via HTTP and, in general, other information considered by regulations, laws or organization policy.
Black Box testing and example
Various typologies of information, which must be protected, can be also transmitted in clear text. It is possible to check if this information is transmitted over HTTP instead of HTTPS. Please refer to specific Tests for full details, for credentials [3] and other kind of data [2].
Example 1. Basic Authentication over HTTP
A typical example is the usage of Basic Authentication over HTTP. Also, with Basic Autentication credentials are encoded and not encrypted into HTTP Headers, using curl [5].
$ curl -kis http://example.com/restricted/ HTTP/1.1 401 Authorization Required Date: Fri, 01 Aug 2013 00:00:00 GMT WWW-Authenticate: Basic realm="Restricted Area" Accept-Ranges: bytes Vary: Accept-Encoding Content-Length: 162 Content-Type: text/html <html><head><title>401 Authorization Required</title></head> <body bgcolor=white> <h1>401 Authorization Required</h1> Invalid login credentials! </body></html>
Example 2. Form Authentication over HTTP
Another typical example is forms containing passwords transmitted over HTTP. It is possible to find the “http://” or “//” as the protocol in “action” attribute of the form and some input containing passwords or other data.
<form action="http://example.com/login"> <label for="username">User:</label> <input type="text" id="username" name="username" value=""/><br /> <label for="password">Password:</label> <input type="password" id="password" name="password" value=""/> <input type="submit" value="Login"/> </form>
Example 3. Cookie containing Session ID over HTTP
Session ID Cookie must be transmitted over protected channels. If Cookie have NOT Secure flag it is possible to transmit unencrypted. In this case it can be eavesdropped.
https://secure.example.com/login POST /login HTTP/1.1 Host: secure.example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://secure.example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 188 HTTP/1.1 302 Found Date: Tue, 03 Dec 2013 21:18:55 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Set-Cookie: JSESSIONID=BD99F321233AF69593EDF52B123B5BDA; expires=Fri, 01-Jan-2014 00:00:00 GMT; path=/; domain=example.com; httponly Location: private/ X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Length: 0 Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Content-Type: text/html ---------------------------------------------------------- http://example.com/private GET /private HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://secure.example.com/login Cookie: JSESSIONID=BD99F321233AF69593EDF52B123B5BDA; Connection: keep-alive HTTP/1.1 200 OK Cache-Control: no-store Pragma: no-cache Expires: 0 Content-Type: text/html;charset=UTF-8 Content-Length: 730 Date: Tue, 25 Dec 2013 00:00:00 GMT ----------------------------------------------------------
References
OWASP Resources
- [1] OWASP Testing Guide - Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection (OWASP-CRYPST-002)
- [2] OWASP TOP 10 2010 - Insufficient Transport Layer Protection
- [3] OWASP TOP 10 2013 - Sensitive Data Exposure
- [4] OWASP ASVS v1.1 - V10 Communication Security Verification Requirements
Tools
- [5] curl can be used to check manually for pages