Difference between revisions of "Insecure Transport"

From OWASP
Jump to: navigation, search
(Added contents from Fortify.)
Line 2: Line 2:
 
{{Template:Fortify}}
 
{{Template:Fortify}}
  
==Abstract==
+
[[Category:FIXME|This is the text from the old template. This needs to be rewritten using the new template.]]
 +
 
 +
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''
 +
 
 +
[[ASDR_TOC_Vulnerabilities|Vulnerabilities Table of Contents]]
 +
 
 +
[[ASDR Table of Contents]]
 +
__TOC__
  
* The application configuration should ensure that SSL is used for all access controlled pages.
 
  
 
==Description==
 
==Description==
 +
 +
The application configuration should ensure that SSL is used for all access controlled pages.
  
 
If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. However, it is not a uncommon problem that the configuration of the application fails to enforce the use of SSL on pages that contain sensitive data.  
 
If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. However, it is not a uncommon problem that the configuration of the application fails to enforce the use of SSL on pages that contain sensitive data.  
Line 16: Line 24:
 
* A programmer erroneously creates a relative link to a page in the application, failing to switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)  
 
* A programmer erroneously creates a relative link to a page in the application, failing to switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)  
  
==Examples ==
+
 
 +
==Risk Factors==
 +
 
 +
TBD
 +
 
 +
==Examples==
  
 
* Login pages are not SSL protected
 
* Login pages are not SSL protected
 
* A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL.  
 
* A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL.  
  
==Related Threats==
 
  
* Attackers that are trying to steal login credentials, session ids or other sensitive information
+
==Related [[Attacks]]==
 
+
==Related Attacks==
+
  
 +
* Attackers that are trying to steal login credentials, session ids or other sensitive information
 
* Bypassing SSL by entering HTTP instead of HTTPS
 
* Bypassing SSL by entering HTTP instead of HTTPS
 
* Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP  
 
* Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP  
  
==Related Vulnerabilities==
 
  
==Related Countermeasures==
 
  
==Categories==
+
==Related [[Vulnerabilities]]==
  
[[Category:Deployment]]
+
* [[Vulnerability 1]]
 +
* [[Vulnerabiltiy 2]]
  
[[Category:Java]]
 
  
[[Category:Environmental Vulnerability]]
+
==Related [[Controls]]==
  
[[Category:Communication]]
+
* [[Control 1]]
 +
* [[Control 2]]
  
 +
 +
==Related [[Technical Impacts]]==
 +
 +
* [[Technical Impact 1]]
 +
* [[Technical Impact 2]]
 +
 +
 +
==References==
 +
 +
TBD
 +
 +
[[Category:FIXME|add links
 +
 +
In addition, one should classify vulnerability based on the following subcategories: Ex:<nowiki>[[Category:Error Handling Vulnerability]]</nowiki>
 +
 +
Availability Vulnerability
 +
 +
Authorization Vulnerability
 +
 +
Authentication Vulnerability
 +
 +
Concurrency Vulnerability
 +
 +
Configuration Vulnerability
 +
 +
Cryptographic Vulnerability
 +
 +
Encoding Vulnerability
 +
 +
Error Handling Vulnerability
 +
 +
Input Validation Vulnerability
 +
 +
Logging and Auditing Vulnerability
 +
 +
Session Management Vulnerability]]
 +
 +
__NOTOC__
 +
 +
 +
[[Category:OWASP ASDR Project]]
 +
[[Category:Deployment]]
 +
[[Category:Java]]
 +
[[Category:Environmental Vulnerability]]
 +
[[Category:Communication]]
 
[[Category:SSL]]
 
[[Category:SSL]]

Revision as of 12:22, 26 September 2008

This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.


This article includes content generously donated to OWASP by Fortify.JPG.

Last revision (mm/dd/yy): 09/26/2008

Vulnerabilities Table of Contents

ASDR Table of Contents

Contents


Description

The application configuration should ensure that SSL is used for all access controlled pages.

If an application uses SSL to guarantee confidential communication with client browsers, the application configuration should make it impossible to view any access controlled page without SSL. However, it is not a uncommon problem that the configuration of the application fails to enforce the use of SSL on pages that contain sensitive data.

There are three common ways for SSL to be bypassed:

  • A user manually enters URL and types "HTTP" rather than "HTTPS"
  • Attackers intentionally send a user to an insecure URL
  • A programmer erroneously creates a relative link to a page in the application, failing to switch from HTTP to HTTPS. (This is particularly easy to do when the link moves between public and secured areas on a web site.)


Risk Factors

TBD

Examples

  • Login pages are not SSL protected
  • A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL.


Related Attacks

  • Attackers that are trying to steal login credentials, session ids or other sensitive information
  • Bypassing SSL by entering HTTP instead of HTTPS
  • Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP


Related Vulnerabilities


Related Controls


Related Technical Impacts


References

TBD