Unencrypted Login Request
Severity: Medium
Type: Application-level test
WASC Threat Classification: Application Privacy Tests
CVE Reference(s): N/A
Security Risk: It may be possible to steal user login information such as usernames and passwords that are sent unencrypted --------------------------------------------------------------------------------
Possible Causes
Sensitive input fields such as usernames, password and credit card numbers are passed unencrypted
Technical Description
During the application test, it was detected that an unencrypted login request was sent to the server. Since some of the input fields used in a login process (for example: usernames, passwords, email addresses, social security number, etc.) are personal and sensitive, it is recommended that they will be sent to the server over an encrypted connection (e.g. SSL).
Any information sent to the server as clear text, may be stolen and used later for identity theft or user impersonation. In addition, several privacy regulations state that sensitive information such as user credentials will always be sent encrypted to the web site.
Affected Products
This issue may affect different types of products
References and Relevant Links
Financial Privacy: The Gramm-Leach Bliley Act
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act
California SB1386
Severity: Medium
Type: Application-level test
WASC Threat Classification: Application Privacy Tests
CVE Reference(s): N/A
Security Risk: It may be possible to steal user login information such as usernames and passwords that are sent unencrypted --------------------------------------------------------------------------------
Possible Causes
Sensitive input fields such as usernames, password and credit card numbers are passed unencrypted
Technical Description
During the application test, it was detected that an unencrypted login request was sent to the server. Since some of the input fields used in a login process (for example: usernames, passwords, email addresses, social security number, etc.) are personal and sensitive, it is recommended that they will be sent to the server over an encrypted connection (e.g. SSL).
Any information sent to the server as clear text, may be stolen and used later for identity theft or user impersonation. In addition, several privacy regulations state that sensitive information such as user credentials will always be sent encrypted to the web site.
Affected Products
This issue may affect different types of products
References and Relevant Links
Financial Privacy: The Gramm-Leach Bliley Act
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act
California SB1386
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货