CWE-523: Unprotected Transport of CredentialsWeakness ID: 523 Vulnerability Mapping:
ALLOWEDThis CWE ID may be used to map to real-world vulnerabilities Abstraction: BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. |
Description Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. Common Consequences This table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.Scope | Impact | Likelihood |
---|
Access Control
| Technical Impact: Gain Privileges or Assume Identity | |
Potential Mitigations
Phases: Operation; System Configuration Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier. |
Relationships Background Details
SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents.
Modes Of Introduction The different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.Phase | Note |
---|
Architecture and Design | OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase. |
Detection Methods
Automated Static Analysis Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) |
Memberships This MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources. Vulnerability Mapping Notes Usage: ALLOWED (this CWE ID could be used to map to real-world vulnerabilities) | Reason: Acceptable-Use | Rationale: This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities. | Comments: Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction. |
Taxonomy Mappings Mapped Taxonomy Name | Node ID | Fit | Mapped Node Name |
Software Fault Patterns | SFP23 | | Exposed Data |
Content History Submissions |
---|
Submission Date | Submitter | Organization |
---|
2006-07-19 (CWE Draft 3, 2006-07-19) | Anonymous Tool Vendor (under NDA) | | | Modifications |
---|
Modification Date | Modifier | Organization |
---|
2008-07-01 | Eric Dalci | Cigital | updated Time_of_Introduction | 2008-09-08 | CWE Content Team | MITRE | updated Background_Details, Relationships, Other_Notes, Taxonomy_Mappings | 2009-05-27 | CWE Content Team | MITRE | updated Related_Attack_Patterns | 2011-06-01 | CWE Content Team | MITRE | updated Common_Consequences | 2012-05-11 | CWE Content Team | MITRE | updated Relationships | 2012-10-30 | CWE Content Team | MITRE | updated Potential_Mitigations | 2014-06-23 | CWE Content Team | MITRE | updated Other_Notes, Relationships | 2014-07-30 | CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | 2017-11-08 | CWE Content Team | MITRE | updated Modes_of_Introduction, Relationships, Taxonomy_Mappings | 2018-03-27 | CWE Content Team | MITRE | updated Relationships | 2020-02-24 | CWE Content Team | MITRE | updated Description, Relationships, Type | 2021-10-28 | CWE Content Team | MITRE | updated Relationships | 2023-04-27 | CWE Content Team | MITRE | updated Detection_Factors, Relationships | 2023-06-29 | CWE Content Team | MITRE | updated Mapping_Notes |
More information is available — Please edit the custom filter or select a different filter.
|