Unencrypted Password Form

medium Web App Scanning Plugin ID 98082

Synopsis

Unencrypted Password Form

Description

The HTTP protocol by itself is clear text, meaning that any data that is transmitted via HTTP can be captured and the contents viewed.

To keep data private, and prevent it from being intercepted, HTTP is often tunnelled through either Secure Sockets Layer (SSL), or Transport Layer Security (TLS). When either of these encryption standards are used it is referred to as HTTPS.

Cyber-criminals will often attempt to compromise credentials passed from the client to the server using HTTP. This can be conducted via various different Man-in-The-Middle (MiTM) attacks or through network packet captures.

Scanner discovered that the affected page contains a `password` input, however, the value of the field is not sent to the server utilising HTTPS. Therefore it is possible that any submitted credential may become compromised.

Solution

The affected site should be secured utilising the latest and most secure encryption protocols. These include SSL version 3.0 and TLS version 1.2. While TLS 1.2 is the latest and the most preferred protocol, not all browsers will support this encryption method. Therefore, the more common SSL is included. Older protocols such as SSL version 2, and weak ciphers (< 128 bit) should also be disabled.

See Also

http://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection

Plugin Details

Severity: Medium

ID: 98082

Type: remote

Published: 3/31/2017

Updated: 3/3/2022

Scan Template: basic, full, overview, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information