Revision as of 11:39, 29 June 2006 by Weilin Zhong
This is a Vulnerability. To view all vulnerabilities, please see the Vulnerability Category page.
The configuration of the application fails to enforce the use of SSL on pages that contain sensitive data.
- Login pages are not SSL protected
- A publicly accessible page contains a relative link to a protected page which forgets to switch to SSL.
- Attackers that are trying to steal login credentials, session ids or other sensitive information
- Bypassing SSL by entering HTTP instead of HTTPS
- Sending insecure URLs of protected pages to the victim (e.g. login page) to trick the victim into accessing the privileged pages via HTTP