Password Input on HTTP

Severity:: Medium

Description

When passwords are sent over unencrypted HTTP traffic, attackers can intercept and capture them easily, leading to unauthorized access to user accounts, sensitive data exposure, and potential compromise of the entire system.

Recommendation

Enforce the use of HTTPS to encrypt sensitive data transmission, including passwords. Ensure that all login pages, forms, and authentication mechanisms are served over HTTPS to protect user credentials.

References

OWASP: Transport Layer Protection Cheat Sheet
RFC 2818: HTTP Over TLS
CWE-16
CWE-319
OWASP 2021-A5

Related Issues

Password Sent in HTTP Query - Vulnerability
Password Sent Over HTTP - Vulnerability
Auto Complete Enabled Password Input - Vulnerability
Basic Authentication Over HTTP - Vulnerability

Tags:: Application Misconfiguration; Data Security; Network Security; Authentication; Encryption; SSL/TLS

Anything's wrong? Let us know Last updated on May 13, 2024