Insecure Transport

The call uses an insecure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections. In these cases, an encrypted (secure) protocol should be used.

Example 1: The following example sends data over the HTTP protocol (instead of using HTTPS).

...
HttpRequest req = new HttpRequest();
req.setEndpoint('http://example.com');
HTTPResponse res = new Http().send(req);
...

The incoming HttpResponse object, res, might be compromised as it is delivered over an unencrypted and unauthenticated channel.

The call uses an insecure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to man-in-the-middle attacks, where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following code uses insecure HTTP protocol (instead of using HTTPS):

    var account = new CloudStorageAccount(storageCredentials, false);

The call uses an insecure protocol instead of a secure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

  ...
  String url = 'http://10.0.2.2:11005/v1/key';
  Response response = await get(url, headers: headers);
  ...

The incoming response,response, might have been compromised as it is delivered over an unencrypted and unauthenticated channel.

The call uses an insecure protocol instead of a secure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in environments where devices frequently connect to unsecured public wireless networks.

Example 1: The following example sets up a Web server using the HTTP protocol (instead of using HTTPS).

	helloHandler := func(w http.ResponseWriter, req *http.Request) {
		io.WriteString(w, "Hello, world!\n")
	}

	http.HandleFunc("/hello", helloHandler)
	log.Fatal(http.ListenAndServe(":8080", nil))

The call uses an insecure protocol instead of a secure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

var http = require('http');
...
http.request(options, function(res){
  ...
});
...

The incoming http.IncomingMessage object,res, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

The call uses the HTTP protocol instead of HTTPS to send data to the server.

All data sent over HTTP is sent in the clear and subject to compromise.

Example 1: The following example sends data over the HTTP protocol (versus HTTPS).

NSString * const USER_URL = @"http://localhost:8080/igoat/user";
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:USER_URL]];
[[NSURLConnection alloc] initWithRequest:request delegate:self];

The call uses an insecure protocol instead of a secure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in environments where devices frequently connect to unsecured public wireless networks.

Example 1: The following example disables encryption on a socket.

...
stream_socket_enable_crypto($fp, false);
...

The code uses an insecure method for communication.

All communication sent with an insecure, unencrypted, or plain text protocol is subject to compromise.

The call uses an unencrypted connection instead of an encrypted connection to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

require 'net/http'
conn = Net::HTTP.new(URI("http://www.website.com/"))
in = conn.get('/index.html')
...

The incoming stream,in, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

The call uses an insecure protocol instead of a secure protocol to communicate with the server.

All communication over HTTP, FTP, or gopher is unauthenticated and unencrypted. It is therefore subject to compromise, especially in the mobile environment where devices frequently connect to unsecured, public, wireless networks using WiFi connections.

Example 1: The following example reads data using the HTTP protocol (instead of using HTTPS).

   val url = Uri.from(scheme = "http", host = "192.0.2.16", port = 80, path = "/")
   val responseFuture: Future[HttpResponse] = Http().singleRequest(HttpRequest(uri = url))

The incoming response, responseFuture, may have been compromised as it is delivered over an unencrypted and unauthenticated channel.

The call uses the HTTP protocol instead of HTTPS to send data to the server.

All data sent over HTTP is sent in the clear and subject to compromise.

Example 1: The following example sends data over the HTTP protocol (versus HTTPS).

let USER_URL = "http://localhost:8080/igoat/user"
let request : NSMutableURLRequest = NSMutableURLRequest(URL:NSURL(string:USER_URL))
let conn : NSURLConnection = NSURLConnection(request:request, delegate:self)

Transmission of sensitive data over unencrypted connections could lead to information theft or unauthorized modification of data.

Programmers who deal with the exchange of information such as credentials, credit card numbers, social security numbers and other similarly sensitive private information must protect it from unauthorized access and modification. Transmitting such sensitive data using query parameters leave them susceptible to interception and tampering by attackers using man-in-the-middle attacks. At a minimum, this issue can allow an attacker to garner information from query strings that can be utilized in escalating the method of attack, such as information about the internal workings of the application or database column names.
The attacker can exploit this issue to impersonate a legitimate user, obtain proprietary data, or execute actions not intended by the application developers.
Data transferred using query string parameters are also logged on the server. This further exposes the sensitive information to unauthorized access.