Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R181. Transmit data using secure protocols

This document contains the details of the security requirements related to the definition and management of data transmission in the organization. This requirement establishes the importance of using safe protocols to perform sensitive information transmission.

Requirement

The transmission of sensitive information and the execution of sensitive functions must be performed through secure protocols.

Description

A system can send information through a non-encrypted channel using insecure protocols. The use of these protocols makes it easier to perform a man-in-the-middle attack (MitM) to intercept and modify the information. Examples of such insecure protocols are HTTP, FTP, POP3 and Telnet.

Implementation

  1. Deploy applications using HTTPS in the application server: When using this protocol, the channel used for the deployment of web applications is encrypted. For this, it is necessary to have certificates issued by a valid certifying entity.

  2. Use secure services instead of standard services: When you need to transmit sensitive information using services such as FTP and POP3, you can enable secure versions of each protocol or implement protocols with the same functions but having communication encryption such as SSH, FTPS, POP3S and TLS.

Attacks

  1. An attacker with access to non-encrypted channels performs a man-in-the-middle (MitM) attack over the vulnerable assets in order to intercept, obtain and/or modify the transmitted information.

Attributes

  • Layer: Resource Layer

  • Asset: Information Assets

  • Scope: Confidentiality

  • Phase: Operation

  • Type of Control: Recommendation

References

  1. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  2. CWE-311: Missing Encryption of Sensitive Data The software does not encrypt sensitive or critical information before storage or transmission.

  3. CWE-319: Cleartext Transmission of Sensitive Information The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

  4. CWE-326: Inadequate Encryption Strength The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  5. CWE-598: Use of GET Request Method With Sensitive Query Strings The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.

  6. Directive 2002/58/EC (amended by E-privacy Directive 2009/136/EC). Art. 4: Security of processing.(1a) The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.

  7. OWASP-ASVS v4.0.1 V1.9 Client-side Data Protection.(1.9.1) Verify the application encrypts communications between components, particularly when these components are in different containers, systems, sites, or cloud providers.

  8. OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.5) Verify that where a credential service provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints.

  9. OWASP-ASVS v4.0.1 V3.1 Client-side Data Protection.(3.1.1) Verify the application never reveals session tokens in URL parameters or error messages.

  10. OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.1) Verify that sensitive data is sent to the server in the HTTP message body or headers, and that query string parameters from any HTTP verb do not contain sensitive data.

  11. OWASP-ASVS v4.0.1 V9.1 Communications Security Requirements.(9.1.1) Verify that secured TLS is used for all client connectivity, and does not fall back to insecure or unencrypted protocols.

  12. PCI 6.5.4 Insecure communications/transport layer protection


Service status - Terms of Use