Sensitive Data over HTTP
- CAPEC 65
- CWE 319
- WASC 4
- PCI 3.2-6.5.4
- OWASP 2017-A3
The application transmits sensitive information over an unencrypted HTTP connection. HTTP does not provide confidentiality or integrity protection, making it possible for attackers to intercept, read, or modify transmitted data via network-based attacks such as Man-in-the-Middle (MITM).
Sensitive data may include authentication tokens, session cookies, user credentials, personal information, or API payloads.
Transmission of sensitive data over HTTP can lead to:
- Interception of credentials or session tokens
- Session hijacking and account takeover
- Exposure of personal or confidential user data
- Manipulation of requests and responses in transit
Remediation
All sensitive data should be transmitted over HTTPS instead of HTTP.
References
Go Back to List
Search Vulnerability
You may also see
- Long Redirect Response
- Error Message
- Stack Trace
- Internal Path
- Not Secure Cookie
- Not Http-Only Cookie
- Sensitive Data in Query String
- Sensitive Data over HTTP
- Server Error
- Source Code Disclosure
- Information Leakage
- Web Backdoor
- Database Connection String
- Autocomplete Enabled
- Undefined Content-Type Header
- Missing X-Frame-Options Header
- File Upload Input Detected
- Mixed Content
- Insecure iFrame
- XPath Injection
- Basic Authentication over HTTP
- Forbidden Resource
- Multiple Choices Enabled
- Apache MultiViews Enabled
- GraphQL Endpoint Detected