ITLP

INSUFFICIENT TRANSPORT LAYER PROTECTION

Introduction

It is possible to sniff the data of the application including username/password since application is running on HTTP through which credentials like username and password and other sensitive data is sent and received in clear/plain text.

Impact

An attacker could sniff the username and password or other sensitive data and easily gain access to the victim’s account.

How to Test

Wireshark is the tool to sniff the packets using this tool we can able to see the packets.using this this tool we sniffed the credentials as shown in the below screenshot.

How to Fix

We recommended implementing HTTPS instead of using HTTP.
Sensitive information like credentials always be transferred via an encrypted channel (HTTPS) to avoid intercepted by malicious users. So it should be transferred to the server over an encrypted connection(HTTPS).

References

https://www.acunetix.com/vulnerabilities/web/user-credentials-are-sent-in-clear-text/

PreviousPhp.ini File Available Publicly NextInternal Path Disclosure

Last updated 5 years ago

Was this helpful?