Definition Reference

Not Logged In [Login Now]

Synopsis

Detects pages that submit a password over an unencrypted connection

Description

This definition detects password fields that are submitted over unencrypted connection (a non-SSL connection). Sending passwords over an unencrypted connection can allow them to be sniffed by malicious users.

The form that contains the password field must be modified such that it submits the form over HTTPS.

Reference

OWASP: 2010-A9

Definition Code

/*
 * Name: Audit.Compliance.Insecure_Password_Transfer
 * Version: 3
 * ID: 219
 * Message: The given webpage transfers the users' password over an unencrypted connection
 * Severity: Medium
 */

importPackage(Packages.ThreatScript);
importPackage(Packages.HTTP);

function analyze( httpResponse, variables, environment ){

	var parser = httpResponse.getDocumentParser();
	var location = new URL( httpResponse.getLocation() );

	//Get a list of all script tags
	var tagNameFilter = new TagNameFilter("form");
	var nodesList = parser.extractAllNodesThatMatch(tagNameFilter); 

	//Analyze each script tag to determine if any have a non-local script reference
	for( var c = 0; c < nodesList.size(); c++ ){

		var tag = nodesList.elementAt(c);
		var action = tag.getAttribute("action");
		
		if (action != null){
			try{
				var submissionLocation = new URL( location, action );
				
				//Determine if the protocol is HTTP instead of HTTPS
				if( submissionLocation != null && submissionLocation.getProtocol().equalsIgnoreCase("http") ){
				
					//Determine if one of the fields within the form is a password element
					var inputNodesList = tag.getFormInputs();
					
					for( var d = 0; d < inputNodesList.size(); d++ ){
						var inputTag = inputNodesList.elementAt(d);
						
						var inputType = inputTag.getAttribute("action");
						
						if( inputType != null && inputType.equalsIgnoreCase("password") ) {
							return new Result( true, "Unencrypted password submission to : " + submissionLocation );
						}
					}
				}
			}
			catch(e){
				/*
				 * Ignore this exception, this can occur when the HTML is malformed. A malformed script
				 * source tag shouldn't be followable and therefore should not be a threat.
				 */
			}
		}
	}

	return new Result( false, "No unencrypted password transfers detected" );
}

Related Links

Insecure_Password_Transfer

Synopsis

Description

Reference

Definition Code