Python Aiohttp Cleartext Sensitive Information
Description
Detects when sensitive information is transmitted insecurely using the aiohttp library in Python applications. The vulnerability occurs when sensitive data is sent over HTTP rather than HTTPS, potentially exposing confidential information to network eavesdropping and man-in-the-middle attacks.
Detection Strategy
• 1. Confirms the aiohttp library is imported in the Python code
• 2. Identifies HTTP request calls made using aiohttp client methods (like get, post, put, etc.)
• 3. Examines if these HTTP requests contain sensitive data patterns in their parameters or payload
• 4. Reports a vulnerability when sensitive data is transmitted without using HTTPS protocol
Vulnerable code example
import aiohttp
async def login():
# VULNERABLE: Sending password over cleartext HTTP
async with aiohttp.ClientSession() as session:
await session.post(
"http://api.example.com/login",
json={"password": "secret"}...✅ Secure code example
import aiohttp
async def login():
# SAFE: Using HTTPS ensures password is encrypted in transit
async with aiohttp.ClientSession() as session:
await session.post(
"https://api.example.com/login",
json={"password": "secret"}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.