Go Cleartext Sensitive Information

Description

Detects when sensitive information is transmitted in cleartext over HTTP connections in Go applications. This poses a security risk as sensitive data could be intercepted and read by attackers monitoring network traffic between client and server.

Weakness:

372 - Use of an insecure channel - HTTP

Category: Information Collection

Detection Strategy

• Identifies when the application imports the 'net/http' package for HTTP communications

• Examines HTTP-related function calls that could transmit data

• Checks if sensitive data is being transmitted without proper encryption

• Reports a vulnerability when sensitive information is sent over non-encrypted HTTP connections

Vulnerable code example

package main

import (
    "net/http"
    "net/url"
    "strings"
)
func insecureDataTransfer(apiToken string) {...

✅ Secure code example

package main

import (
    "net/http"
    "net/url"
    "strings"
)
func secureDataTransfer(apiToken string) {...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.