Skip to content

Commit

Permalink
Insecure http
Browse files Browse the repository at this point in the history
  • Loading branch information
ostorlab committed Aug 1, 2023
1 parent 0417202 commit 8191573
Show file tree
Hide file tree
Showing 3 changed files with 387 additions and 142 deletions.
239 changes: 179 additions & 60 deletions WEB_SERVICE/WEB/_MEDIUM/TLS_HTTP/description.md
View file
Original file line number Diff line number Diff line change
@@ -1,71 +1,103 @@
Clear text HTTP traffic vulnerability refers to the risk associated with transmitting data over HTTP (Hypertext Transfer Protocol) without any encryption. This means that the information being sent and received is in clear text, making it easily readable and accessible to anyone who intercepts the data. This vulnerability can lead to serious security breaches as it exposes sensitive information like usernames, passwords, credit card numbers, and other personal data to potential hackers. It is particularly dangerous when using public Wi-Fi networks where data interception is more likely.
Clear text HTTP traffic refers to data transmitted between a mobile app and its backend server without any encryption, making it easily readable and susceptible to interception by malicious actors. This lack of encryption poses significant security risks for mobile apps. When sensitive information, such as login credentials, personal data, or financial details, is sent over clear text HTTP connections, it becomes vulnerable to eavesdropping and man-in-the-middle attacks.

One of the primary risks associated with clear text HTTP traffic in mobile apps is the potential exposure of user data. Attackers can intercept and extract valuable information, leading to identity theft, unauthorized access to accounts, and misuse of personal data. Moreover, attackers can exploit these vulnerabilities to tamper with the app's content or inject malicious code into the communication channel.

Additionally, clear text HTTP traffic can compromise user privacy. Mobile apps often collect and transmit user data for analytics or targeted advertising purposes. Without encryption, this data is easily accessible to third parties, compromising users' confidentiality and potentially leading to privacy violations.

Mobile apps that fail to implement secure communication protocols also face the risk of impersonation attacks. Attackers can create fake Wi-Fi networks or use other techniques to intercept traffic, pretending to be the legitimate backend server. Users unknowingly send their data to the attacker, who can then misuse it for malicious purposes.


### Examples

#### Dart

```dart
import 'dart:convert';
import 'package:flutter/material.dart';
import 'package:http/http.dart' as http;
void main() {
runApp(MyApp());
}
void main() => runApp(LoginApp());
class MyApp extends StatelessWidget {
class LoginApp extends StatelessWidget {
@override
Widget build(BuildContext context) {
return MaterialApp(
home: Scaffold(
appBar: AppBar(
title: Text('Vulnerable Flutter App'),
),
body: MyHomePage(),
),
title: 'Login App',
home: LoginPage(),
);
}
}
class MyHomePage extends StatefulWidget {
class LoginPage extends StatefulWidget {
@override
_MyHomePageState createState() => _MyHomePageState();
_LoginPageState createState() => _LoginPageState();
}
class _MyHomePageState extends State<MyHomePage> {
final myController = TextEditingController();
@override
void dispose() {
myController.dispose();
super.dispose();
}
class _LoginPageState extends State<LoginPage> {
final TextEditingController _usernameController = TextEditingController();
final TextEditingController _passwordController = TextEditingController();
String _loginStatus = '';
void _performLogin() async {
final String username = _usernameController.text.trim();
final String password = _passwordController.text.trim();
// Simulate an HTTP request for login.
final String apiUrl = 'http://example.com/login';
final Map<String, dynamic> requestBody = {
'username': username,
'password': password,
};
final http.Response response = await http.post(
Uri.parse(apiUrl),
headers: {'Content-Type': 'application/json'},
body: json.encode(requestBody),
);
void sendHttpRequest(String url) async {
var response = await http.get(url);
print('Response status: ${response.statusCode}');
print('Response body: ${response.body}');
if (response.statusCode == 200) {
// Successful login
setState(() {
_loginStatus = 'Login successful!';
});
} else {
// Failed login
setState(() {
_loginStatus = 'Login failed. Please try again.';
});
}
}
@override
Widget build(BuildContext context) {
return Container(
margin: EdgeInsets.all(10.0),
child: Column(
children: <Widget>[
TextField(
controller: myController,
decoration: InputDecoration(
border: OutlineInputBorder(),
labelText: 'Enter URL',
return Scaffold(
appBar: AppBar(
title: Text('Login Page'),
),
body: Padding(
padding: const EdgeInsets.all(16.0),
child: Column(
mainAxisAlignment: MainAxisAlignment.center,
crossAxisAlignment: CrossAxisAlignment.stretch,
children: [
TextFormField(
controller: _usernameController,
decoration: InputDecoration(labelText: 'Username'),
),
TextFormField(
controller: _passwordController,
obscureText: true,
decoration: InputDecoration(labelText: 'Password'),
),
),
RaisedButton(
onPressed: () {
sendHttpRequest(myController.text);
},
child: Text('Send HTTP Request'),
),
],
SizedBox(height: 20),
ElevatedButton(
onPressed: _performLogin,
child: Text('Login'),
),
SizedBox(height: 10),
Text(_loginStatus, textAlign: TextAlign.center),
],
),
),
);
}
Expand All @@ -76,24 +108,61 @@ class _MyHomePageState extends State<MyHomePage> {

```swift
import UIKit
import Foundation

class ViewController: UIViewController {

@IBOutlet weak var urlField: UITextField!
class LoginViewController: UIViewController {
@IBOutlet weak var usernameTextField: UITextField!
@IBOutlet weak var passwordTextField: UITextField!
@IBOutlet weak var loginStatusLabel: UILabel!

override func viewDidLoad() {
super.viewDidLoad()
}

@IBAction func sendRequest(_ sender: Any) {
guard let urlString = urlField.text, let url = URL(string: urlString) else {
@IBAction func loginButtonTapped(_ sender: UIButton) {
guard let username = usernameTextField.text?.trimmingCharacters(in: .whitespacesAndNewlines),
let password = passwordTextField.text?.trimmingCharacters(in: .whitespacesAndNewlines) else {
return
}

// Simulate an HTTP request for login.
let apiUrl = "http://example.com/login"
let requestBody: [String: Any] = [
"username": username,
"password": password
]

var request = URLRequest(url: URL(string: apiUrl)!)
request.httpMethod = "POST"
request.setValue("application/json", forHTTPHeaderField: "Content-Type")

do {
request.httpBody = try JSONSerialization.data(withJSONObject: requestBody, options: [])
} catch {
print("Error creating JSON data: \(error)")
return
}

let task = URLSession.shared.dataTask(with: url) {(data, response, error) in
guard let data = data else { return }
print(String(data: data, encoding: .utf8)!)
let task = URLSession.shared.dataTask(with: request) { data, response, error in
if let error = error {
print("Error: \(error)")
DispatchQueue.main.async {
self.loginStatusLabel.text = "Login failed. Please try again."
}
return
}

guard let data = data,
let httpResponse = response as? HTTPURLResponse,
httpResponse.statusCode == 200 else {
DispatchQueue.main.async {
self.loginStatusLabel.text = "Login failed. Please try again."
}
return
}

DispatchQueue.main.async {
self.loginStatusLabel.text = "Login successful!"
}
}

task.resume()
Expand All @@ -104,15 +173,65 @@ class ViewController: UIViewController {
#### Kotlin

```kotlin
import android.os.Bundle
import android.util.Log
import androidx.appcompat.app.AppCompatActivity
import kotlinx.android.synthetic.main.activity_login.*
import org.json.JSONObject
import java.io.OutputStreamWriter
import java.net.HttpURLConnection
import java.net.URL
import java.util.Scanner

fun main(args: Array<String>) {
println("Please enter the URL:")
val userInput = Scanner(System.`in`).nextLine()
val url = URL(userInput)
val connection = url.openConnection()
val content = connection.getInputStream().bufferedReader().use { it.readText() }
println(content)

class LoginActivity : AppCompatActivity() {
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
setContentView(R.layout.activity_login)

loginButton.setOnClickListener {
val username = usernameEditText.text.trim().toString()
val password = passwordEditText.text.trim().toString()

// Simulate an HTTP request for login.
val apiUrl = "https://example.com/login"
val requestBody = JSONObject().apply {
put("username", username)
put("password", password)
}.toString()

Thread {
performLogin(apiUrl, requestBody)
}.start()
}
}

private fun performLogin(apiUrl: String, requestBody: String) {
try {
val url = URL(apiUrl)
val connection = url.openConnection() as HttpURLConnection
connection.requestMethod = "POST"
connection.setRequestProperty("Content-Type", "application/json")
connection.doOutput = true

val outputStreamWriter = OutputStreamWriter(connection.outputStream)
outputStreamWriter.write(requestBody)
outputStreamWriter.flush()

val responseCode = connection.responseCode
if (responseCode == HttpURLConnection.HTTP_OK) {
runOnUiThread {
loginStatusLabel.text = "Login successful!"
}
} else {
runOnUiThread {
loginStatusLabel.text = "Login failed. Please try again."
}
}
} catch (e: Exception) {
Log.e("LoginActivity", "Error: ${e.message}")
runOnUiThread {
loginStatusLabel.text = "Login failed. Please try again."
}
}
}
}
```
44 changes: 26 additions & 18 deletions WEB_SERVICE/WEB/_MEDIUM/TLS_HTTP/meta.json
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,28 @@
{
"risk_rating": "medium",
"short_description": "The application is transmitting sensitive data over HTTP, which is not secure.",
"references": {
"OWASP": "https://owasp.org/www-project-mobile-top-10/2016-risks/m3-insecure-communication"
},
"title": "Cleartext HTTP Traffic",
"privacy_issue": true,
"security_issue": true,
"categories": {
"OWASP_MASVS_L1": [
"MSTG_NETWORK_1",
"MSTG_NETWORK_2"
],
"OWASP_MASVS_L2": [
"MSTG_NETWORK_1",
"MSTG_NETWORK_2"
]
}
"risk_rating": "medium",
"short_description": "The application is accessing data over unencrypted channel, undermining the confidentiality and integrity of data in transit.",
"references": {
"Missing Encryption of Sensitive Data (CWE-311)": "http://cwe.mitre.org/data/definitions/311.html",
"Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection": "https://www.owasp.org/index.php/Testing_for_Weak_SSL/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)",
"Top 10 2013-A6-Sensitive Data Exposure": "https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure",
"Insufficient Transport Layer": "http://projects.webappsec.org/Insufficient-Transport-Layer-Protection",
"Cleartext Transmission of Sensitive Information (CWE-319)": "http://cwe.mitre.org/data/definitions/319.html"
},
"title": "Clear text HTTP request",
"cvss_v3_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"privacy_issue": true,
"security_issue": true,
"categories": {
"OWASP_ASVS_L1": [
"V9_1_1"
],
"OWASP_ASVS_L2": [
"V1_9_1",
"V9_1_1"
],
"OWASP_ASVS_L3": [
"V1_9_1",
"V9_1_1"
]
}
}
Loading

0 comments on commit 8191573

Please sign in to comment.