Python Urllib3 Cleartext Sensitive Information

Description

Detects when sensitive information is transmitted over cleartext (non-encrypted) connections using the urllib3 library in Python. This creates a risk of data exposure since the traffic could be intercepted and read by attackers monitoring the network.

Weakness:

372 - Use of an insecure channel - HTTP

Category: Information Collection

Detection Strategy

• Identifies import statements or usage of the urllib3 library in the Python code

• Looks for urllib3 HTTP requests that are not using HTTPS/SSL encryption

• Checks if sensitive data (like credentials, tokens, or personal information) is being sent in these cleartext requests

• Reports a vulnerability when sensitive information is transmitted without encryption via urllib3

Vulnerable code example

import urllib3

# VULNERABLE: Sending password in plaintext over insecure HTTP
http = urllib3.PoolManager()
http.request("POST", "http://api.example.com/login", 
            fields={"password": "secret123"})  # Credentials sent over cleartext HTTP

✅ Secure code example

import urllib3

# SAFE: Using HTTPS ensures password is encrypted in transit
http = urllib3.PoolManager()
http.request("POST", "https://api.example.com/login", 
            fields={"password": "secret123"})  # Credentials protected by TLS

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.