Python Requests Cleartext Sensitive Information
Description
Detects when sensitive information is transmitted over cleartext (non-HTTPS) using Python requests library. This creates a security risk as data sent over HTTP can be intercepted and read by attackers performing man-in-the-middle attacks.
Detection Strategy
• Check if Python requests library is imported in the code
• Identify calls to requests functions (get, post, put, etc.)
• Look for HTTP URLs (those not using HTTPS protocol)
• Check if the requests contain sensitive information in parameters, data, or json payloads
• Flag cases where sensitive data is sent over non-secure HTTP connections
Vulnerable code example
import requests
# VULNERABLE: Sends password over cleartext HTTP
requests.post("http://api.example.com/login", json={"password": "secret123"})
# VULNERABLE: Exposes API key in URL query params over HTTP
requests.get("http://api.example.com/data", params={"api_key": "key_123"})
...✅ Secure code example
import requests
# SAFE: Use HTTPS for encrypted data transmission
requests.post("https://api.example.com/login", json={"password": "secret123"})
# SAFE: HTTPS protects API key in transit
requests.get("https://api.example.com/data", params={"api_key": "key_123"})
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.