Fluid Attacks Database

Description

This detector identifies forms on HTTPS pages that submit sensitive data to insecure HTTP endpoints. When a secure HTTPS page contains a form with an action URL starting with "http://" (excluding localhost), it creates a vulnerability where sensitive user data could be transmitted unencrypted over the network, exposing it to interception and tampering.

Weakness:

372 - Use of an insecure channel - HTTP

Category: Information Collection

Detection Strategy

• The target page must be served over HTTPS protocol

• The page must contain HTML forms with action attributes

• The form's action attribute must start with 'http://' (not 'https://')

• The action URL must not be a localhost address

• The form must contain sensitive input fields (passwords, email fields, etc.)

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.