Modes d'introduction
Architecture and Design : The product might be designed in a way that assumes that HTTP will be used, e.g., by excluding considerations of encrypted communications between client and server.
Requirements : Product requirements might not include encrypted communications, which could make it easier for designers and developers to choose HTTP.
Implementation : Developers might choose to use unencrypted protocols such as HTTP because they would not require development of additional mechanisms to support encryption, e.g., key or certificate management.
Implementation : When generating content that references web sites such as email messages, ensure that the https:// prefix is included. If a domain name is presented without such a prefix, then clients might automatically treat the link as if it had an "http" prefix. For example, referencing a domain like "mysite.example.com" could cause it to be treated like "http://mysite.example.com", thereby sending unencrypted HTTP requests.
Operation : Designers might assume that the responsibility for encrypted communications might belong to operators and/or network administrators.
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)
Systèmes d’exploitation
Class: Not OS-Specific (Undetermined)
Architectures
Class: Not Architecture-Specific (Undetermined)
Technologies
Class: Not Technology-Specific (Undetermined)
Conséquences courantes
Portée |
Impact |
Probabilité |
Confidentiality Integrity | Read Application Data, Modify Application Data
Note: HTTP can be subjected to attacks against confidentiality (by reading cleartext packets); integrity (by modifying sessions); and authenticity (by compromising servers and/or clients using cache poisoning, phishing, or other attacks that enable attackers to spoof a legitimate entity in the communication channel). | High |
Mesures d’atténuation potentielles
Phases : Architecture and Design
Explicitly require HTTPS or another mechanism that ensures that communication is encrypted [REF-1464].
Phases : Implementation
Avoid using "mixed content," i.e., serving a web page over HTTPS in which the page includes elements that use "http:" URLs [REF-1466] [REF-1467]. This is often done for images or other resources that do not seem to have privacy or security implications.
Phases : Implementation // Operation
Perform "HTTPS forcing," that is, redirecting HTTP requests to HTTPS.
Phases : Operation
If the product supports multiple protocols, ensure that encrypted protocols (such as HTTPS) are required, and remove any unencrypted protocols (such as HTTP).
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-1461
What's the Difference Between HTTP and HTTPS?
Amazon.
https://aws.amazon.com/compare/the-difference-between-https-and-http/ REF-1462
Why is HTTP not secure? | HTTP vs. HTTPS
Cloudflare.
https://www.cloudflare.com/learning/ssl/why-is-http-not-secure/ REF-1463
Every Pipe, Every Byte: The Case for Universal Encryption
Bob Lord.
https://medium.com/@boblord/every-pipe-every-byte-the-case-for-universal-encryption-b8e08939d2b9 REF-1464
Encrypting the Web
Electronic Frontier Foundation.
https://www.eff.org/encrypt-the-web/ REF-1465
Application Security Verification Standard 4.0.3 - Final
OWASP.
https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf REF-1465
Application Security Verification Standard 4.0.3 - Final
OWASP.
https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf REF-1465
Application Security Verification Standard 4.0.3 - Final
OWASP.
https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf REF-1466
Fixing mixed content
An error occured. Please try again later.