Lack of Network Encryption


Description

The application fails to use network encryption during communications. Sensitive information such as user credentials is sent across the network in clear text over HTTP. A well positioned attacker may be able to sniff traffic and capture or modify content. 

Impact

Communications sent over an unencrypted channel are vulnerable to being captured or modified. An attacker in position on the network is capable of eavesdropping on communications in order to capture sensitive information such credentials. With stolen credentials, an attacker can take over a user’s account and access any sensitive data associated with the account. Attackers can also inject malicious JavaScript into traffic sent over clear text channels in order to exploit users and manipulate content.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

 

Leave a Reply