HTTP And HTTPS Available

Weak Login Function: HTTP and HTTPS Available

Overview of the Vulnerability

Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the login page to load over both a HTTP and a HTTPS connection. This means that it is possible for web requests to be transmitted over HTTP in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials.

Business Impact

Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to navigate to: {{URL}}

3. Attempt to sign into the website using the login button

4. In the HTTP interception proxy, observe that the credentials are submitted HTTPS, but are also accessible on HTTP

Proof of Concept (PoC)

The following screenhots show the full exploit:

{{screenshot}}

Recommendation(s)

Weak login function can be remediated by implementing a handful of best practices relating to authentication and session management to ensure secure implementation. These include:

• Enabling HTTPS for the login page and all subsequent authenticated pages

• Disable the option of forcing a HTTP connection by browsers

• Implement the HTTP Strict Transport Security (HSTS) header

• Keeping all systems, software and operating systems up-to-date with a repeatable patch management process

• Validate all user input server-side

• Ensure that the authentication mechanisms and logic are robust and that each request for a resource passes through an authorization process

The verification logic of the application, as well as all of the above, should be thoroughly tested during the development and QA phases of an application build.

For further information, refer to Open Web Application Security Project(OWASP) guides located at:

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#transmit-passwords-only-over-tls-or-other-strong-transport

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

• https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/