Unprotected Transport of CredentialsID: 523 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: INCOMPLETE |
Abstraction Type: Variant |
Description
Login pages not using adequate measures to protect the user
name and password while they are in transit from the client to the
server.
Applicable PlatformsNone
Time Of Introduction
Related Attack Patterns
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Gain privileges / assume
identity | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
OperationSystem Configuration | | Enforce SSL use for the login page or any page used to transmit user
credentials or other sensitive information. Even if the entire site does
not use SSL, it MUST use SSL for login. Additionally, to help prevent
phishing attacks, make sure that SSL serves the login page. SSL allows
the user to verify the identity of the server to which they are
connecting. If the SSL serves login page, the user can be certain they
are talking to the proper end system. A phishing attack would typically
redirect a user to a site that does not have a valid trusted server
certificate issued from an authorized supplier. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-523 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
Anonymous Tool Vendor (under NDA) | | | |
References:None