Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-523:Unprotected Transport of Credentials
Weakness ID:523
Version:v4.17
Weakness Name:Unprotected Transport of Credentials
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Incomplete
Likelihood of Exploit:
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

▼Extended Description

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
CanAlsoBeAllowedB312Cleartext Storage of Sensitive Information
ChildOfAllowed-with-ReviewC522Insufficiently Protected Credentials
Nature: CanAlsoBe
Mapping: Allowed
Type: Base
ID: 312
Name: Cleartext Storage of Sensitive Information
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 522
Name: Insufficiently Protected Credentials
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedC255Credentials Management Errors
MemberOfProhibitedC930OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
MemberOfProhibitedC1013Encrypt Data
MemberOfProhibitedC1028OWASP Top Ten 2017 Category A2 - Broken Authentication
MemberOfProhibitedC1346OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 255
Name: Credentials Management Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 930
Name: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1013
Name: Encrypt Data
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1028
Name: OWASP Top Ten 2017 Category A2 - Broken Authentication
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1346
Name: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-332Gain Privileges or Assume Identity (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-332
Name: Gain Privileges or Assume Identity (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1013Encrypt Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1013
Name: Encrypt Data
Relevant to the view"OWASP Top Ten (2021) - (1344)"
NatureMappingTypeIDName
MemberOfProhibitedC1346OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1346
Name: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC255Credentials Management Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 255
Name: Credentials Management Errors
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC963SFP Secondary Cluster: Exposed Data
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 963
Name: SFP Secondary Cluster: Exposed Data
▼Background Detail

SSL (Secure Socket Layer) provides data confidentiality and integrity to HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping or altering message contents.

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/AGain Privileges or Assume Identity
N/A
Scope: Access Control
Likelihood: N/A
Impact: Gain Privileges or Assume Identity
Note:
N/A
▼Potential Mitigations
Phase:Operation, System Configuration
Mitigation ID:
Strategy:
Effectiveness:
Description:

Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a user to a site that does not have a valid trusted server certificate issued from an authorized supplier.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.

▼Applicable Platforms
▼Demonstrative Examples
▼Observed Examples
ReferenceDescription
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      Automated Static Analysis
      Detection Method ID:DM-14
      Description:

      Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

      Effectiveness:High
      Note:

      N/A

      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      Software Fault PatternsSFP23N/AExposed Data
      Taxonomy Name: Software Fault Patterns
      Entry ID: SFP23
      Fit: N/A
      Entry Name: Exposed Data
      ▼Related Attack Patterns
      IDName
      CAPEC-102
      Session Sidejacking
      ID: CAPEC-102
      Name: Session Sidejacking
      ▼References
      Details not found