Php Sensitive Data Sent Over Http
Description
Identifies instances where sensitive data may be transmitted over insecure HTTP connections in PHP applications. This vulnerability could allow attackers to intercept sensitive information like credentials, tokens, or personal data since HTTP traffic is not encrypted during transmission.
Detection Strategy
• Check for sensitive data being processed without proper security measures or encryption
• Detect usage of insecure HTTP protocols instead of HTTPS for data transmission
• Identify requests containing sensitive information like passwords, tokens, or personal data
• Look for improper or missing sanitization of sensitive data before transmission
Vulnerable code example
<?php
use GuzzleHttp\Client;
function sendSensitiveData($creditCard) {
$client = new Client();
// Vulnerable: Sending sensitive data over non-HTTPS URL
$response = $client->request('GET', 'http://example.com/api/process', [...✅ Secure code example
<?php
use GuzzleHttp\Client;
use Exception;
function sendSensitiveData($creditCard) {
try {
$client = new Client([
'base_uri' => 'https://example.com', // Force HTTPS usage...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.