Password Sent Over HTTP

Description

When passwords are sent over unencrypted HTTP traffic, attackers can intercept and capture them easily, leading to unauthorized access to user accounts, sensitive data exposure, and potential compromise of the entire system.

Recommendation

Enforce the use of HTTPS to encrypt sensitive data transmission, including passwords. Ensure that all login pages, forms, and authentication mechanisms are served over HTTPS to protect user credentials.

References

• OWASP: Transport Layer Protection Cheat Sheet
• RFC 2818: HTTP Over TLS
• CWE-16
• CWE-319
• OWASP 2021-A5

Related Issues

• Password Sent in HTTP Query - Vulnerability
• Password Input on HTTP - Vulnerability
• Basic Authentication Over HTTP - Vulnerability
• Auto Complete Enabled Password Input - Vulnerability

Tags:

Application Misconfiguration

Data Security

Network Security

Authentication

Encryption

SSL/TLS