via Mixed Conten
Sensitive Data Exposure via Mixed Content
Overview of the Vulnerability
Mixed content is when a page is loaded over a HTTPS connection but the application pulls content using a mix of HTTP and HTTPS, leaving the page susceptible to sniffing and Person-in-The-Middle (PiTM) attacks. This application discloses sensitive data via mixed content, enabling an attacker to collect sensitive metadata to escalate privileges or launch phishing campaigns on targeted users.
Business Impact
This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application through a PiTM connection. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.
Steps to Reproduce
Login as a user and navigate to: {{URL}}
Use Developer Tools, Network tab to see that sensitive content is being served over HTTP:
{{screenshot}}
Proof of Concept (PoC)
The following screenshot shows the sensitive data served over HTTP:
{{screenshot}}
Recommendation(s)
The application should prevent mixed content from loading and make HTTPS connections default. If the content cannot load over a HTTPS connection, the content should not be displayed.
It is recommended to encrypt sensitive data both when at rest and when in transit. All data that is processed, stored, and transmitted by the application should be classified by business need, regulatory and industry requirements, and appropriate privacy laws.
Additionally, it is best practice to not store sensitive data when it is no longer required, as data that is not retained cannot be accessed and used maliciously. All sensitive data should therefore be a part of a regularly reviewed maintenance cycle. This review cycle should include rotation of secrets.
For more information refer to the following guides relating to this vulnerability:
Last updated