CWE-319
AllowedCleartext Transmission of Sensitive Information
Abstraction: Base · Status: Draft
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
1147 vulnerabilities reference this CWE, most recent first.
GHSA-X9PV-2VFG-2257
Vulnerability from github – Published: 2024-05-14 15:32 – Updated: 2024-05-14 15:32NVIDIA ChatRTX for Windows contains a vulnerability in the ChatRTX UI and backend, where a user can cause a clear-text transmission of sensitive information issue by data sniffing. A successful exploit of this vulnerability might lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2024-0098"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T14:39:31Z",
"severity": "MODERATE"
},
"details": "NVIDIA ChatRTX for Windows contains a vulnerability in the ChatRTX UI and backend, where a user can cause a clear-text transmission of sensitive information issue by data sniffing. A successful exploit of this vulnerability might lead to information disclosure.",
"id": "GHSA-x9pv-2vfg-2257",
"modified": "2024-05-14T15:32:51Z",
"published": "2024-05-14T15:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0098"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5533"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X9XX-826M-934X
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-08-06 00:00The Credova_Financial WordPress plugin discloses a site's associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.
{
"affected": [],
"aliases": [
"CVE-2021-39342"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-29T20:15:00Z",
"severity": "MODERATE"
},
"details": "The Credova_Financial WordPress plugin discloses a site\u0027s associated Credova API account username and password in plaintext via an AJAX action whenever a site user goes to checkout on a page that has the Credova Financing option enabled. This affects versions up to, and including, 1.4.8.",
"id": "GHSA-x9xx-826m-934x",
"modified": "2022-08-06T00:00:52Z",
"published": "2022-05-24T19:16:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39342"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/2606811/credova-financial/trunk/credova-financial.php"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39342"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XC3V-GXV5-4X7Q
Vulnerability from github – Published: 2024-03-14 21:30 – Updated: 2024-03-14 21:30The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.
{
"affected": [],
"aliases": [
"CVE-2024-0860"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-14T21:15:50Z",
"severity": "HIGH"
},
"details": "\nThe affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests.\n\n",
"id": "GHSA-xc3v-gxv5-4x7q",
"modified": "2024-03-14T21:30:51Z",
"published": "2024-03-14T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0860"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XF85-363P-868W
Vulnerability from github – Published: 2026-07-01 21:06 – Updated: 2026-07-01 21:06Summary
oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint (e.g. Docker Hub's registry-1.docker.io -> auth.docker.io), so cross-host realms on public DNS names are not in themselves a vulnerability. Two specific patterns, however, are never legitimate under any registry trust model and can be abused by a malicious or compromised registry (or a man-in-the-middle on a plaintext connection):
-
SSRF to internal networks. A realm of
http://169.254.169.254/...(AWS/Azure IMDS),http://10.0.0.x/...(RFC 1918), orhttp://127.0.0.1/...causes oras-go running on a cloud VM or corporate workstation to issue outbound HTTP requests from inside the user's trust boundary to an endpoint the user did not choose. The user's stored credentials are attached to those requests, but the principal harm is the network primitive — probing internal endpoints from the client. On IMDSv1 the response body is recoverable from log channels; on IMDSv2 the probe itself can still be used for service discovery. -
TLS downgrade. A registry contacted over
https://can return a realm with anhttp://scheme, causing oras-go to send the user's credentials over plaintext to the token endpoint. This defeats the transport security the user chose when typinghttps://.
What is NOT claimed
This advisory does not claim that credential forwarding to an arbitrary public attacker host through a server-controlled realm is, on its own, a vulnerability. The distribution spec defines realm as a server-controlled field; a strict same-host or same-eTLD+1 enforcement would deviate from the spec and break legitimate split-host deployments. Operators who want defense-in-depth against cross-host realm forwarding can use the opt-in Client.TrustedRealmHosts allowlist (added separately).
Affected versions
oras.land/oras-go/v2 <= v2.6.0
Severity
Medium. Network attack vector, low complexity, no privileges required, user interaction required (victim runs an oras command against the malicious or MITM'd registry), unchanged scope. Confidentiality impact is limited — IMDS probe responses can disclose information, and TLS downgrade exposes the realm request to passive observers — but the attacker does not obtain credentials beyond what the malicious endpoint already controls.
Affected code
registry/remote/auth/client.go—Client.Do()(bearer challenge handling)registry/remote/auth/client.go—Client.fetchBearerToken()/fetchDistributionToken/fetchOAuth2Token
The realm parameter from parseChallenge is threaded through to http.NewRequestWithContext without scheme or host validation.
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-319: Cleartext Transmission of Sensitive Information
Patch
registry/remote/auth/client.go now rejects realm URLs that:
- use a scheme other than
httporhttps - use
httpwhen the registry was contacted overhttps(TLS downgrade) - use an IP literal in a loopback, link-local, private, or unspecified range, unless the registry itself was reached at the same hostname (so loopback / in-cluster deployments are unaffected)
Cross-host realms on public DNS names continue to be accepted.
Credit
Reported by bugbunny.ai.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "oras.land/oras-go/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "oras.land/oras-go"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48978"
],
"database_specific": {
"cwe_ids": [
"CWE-319",
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-01T21:06:10Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\noras-go\u0027s `auth.Client` follows the `realm` URL from a registry\u0027s `WWW-Authenticate: Bearer` challenge without validating its scheme or host. The `realm` field is server-controlled by design in the OCI/distribution spec \u2014 registries legitimately point token requests at a separate auth endpoint (e.g. Docker Hub\u0027s `registry-1.docker.io` -\u003e `auth.docker.io`), so cross-host realms on public DNS names are not in themselves a vulnerability. Two specific patterns, however, are never legitimate under any registry trust model and can be abused by a malicious or compromised registry (or a man-in-the-middle on a plaintext connection):\n\n1. **SSRF to internal networks.** A realm of `http://169.254.169.254/...` (AWS/Azure IMDS), `http://10.0.0.x/...` (RFC 1918), or `http://127.0.0.1/...` causes oras-go running on a cloud VM or corporate workstation to issue outbound HTTP requests from inside the user\u0027s trust boundary to an endpoint the user did not choose. The user\u0027s stored credentials are attached to those requests, but the principal harm is the network primitive \u2014 probing internal endpoints from the client. On IMDSv1 the response body is recoverable from log channels; on IMDSv2 the probe itself can still be used for service discovery.\n\n2. **TLS downgrade.** A registry contacted over `https://` can return a realm with an `http://` scheme, causing oras-go to send the user\u0027s credentials over plaintext to the token endpoint. This defeats the transport security the user chose when typing `https://`.\n\n## What is NOT claimed\n\nThis advisory does **not** claim that credential forwarding to an arbitrary public attacker host through a server-controlled realm is, on its own, a vulnerability. The distribution spec defines `realm` as a server-controlled field; a strict same-host or same-eTLD+1 enforcement would deviate from the spec and break legitimate split-host deployments. Operators who want defense-in-depth against cross-host realm forwarding can use the opt-in `Client.TrustedRealmHosts` allowlist (added separately).\n\n## Affected versions\n\n`oras.land/oras-go/v2 \u003c= v2.6.0`\n\n## Severity\n\nMedium. Network attack vector, low complexity, no privileges required, user interaction required (victim runs an oras command against the malicious or MITM\u0027d registry), unchanged scope. Confidentiality impact is limited \u2014 IMDS probe responses can disclose information, and TLS downgrade exposes the realm request to passive observers \u2014 but the attacker does not obtain credentials beyond what the malicious endpoint already controls.\n\n## Affected code\n\n- `registry/remote/auth/client.go` \u2014 `Client.Do()` (bearer challenge handling)\n- `registry/remote/auth/client.go` \u2014 `Client.fetchBearerToken()` / `fetchDistributionToken` / `fetchOAuth2Token`\n\nThe `realm` parameter from `parseChallenge` is threaded through to `http.NewRequestWithContext` without scheme or host validation.\n\n## CWE\n\n- CWE-918: Server-Side Request Forgery (SSRF)\n- CWE-319: Cleartext Transmission of Sensitive Information\n\n## Patch\n\n`registry/remote/auth/client.go` now rejects realm URLs that:\n\n- use a scheme other than `http` or `https`\n- use `http` when the registry was contacted over `https` (TLS downgrade)\n- use an IP literal in a loopback, link-local, private, or unspecified range, unless the registry itself was reached at the same hostname (so loopback / in-cluster deployments are unaffected)\n\nCross-host realms on public DNS names continue to be accepted.\n\n## Credit\n\nReported by bugbunny.ai.",
"id": "GHSA-xf85-363p-868w",
"modified": "2026-07-01T21:06:10Z",
"published": "2026-07-01T21:06:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oras-project/oras-go/security/advisories/GHSA-xf85-363p-868w"
},
{
"type": "WEB",
"url": "https://github.com/oras-project/oras-go/commit/7a9f4b0b9558821b0422152ebe21ae56930fe764"
},
{
"type": "PACKAGE",
"url": "https://github.com/oras-project/oras-go"
},
{
"type": "WEB",
"url": "https://github.com/oras-project/oras-go/releases/tag/v2.6.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens"
}
GHSA-XG72-J456-MCJ9
Vulnerability from github – Published: 2025-03-05 09:30 – Updated: 2025-03-05 09:30Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software (FRS). Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS v1.5.100.
{
"affected": [],
"aliases": [
"CVE-2025-22493"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-05T09:15:10Z",
"severity": "MODERATE"
},
"details": "Secure flag not set and SameSIte was set to Lax in the Foreseer Reporting Software (FRS). Absence of this secure flag could lead into the session cookie being transmitted over unencrypted HTTP connections. This security issue has been resolved in the latest version of FRS v1.5.100.",
"id": "GHSA-xg72-j456-mcj9",
"modified": "2025-03-05T09:30:52Z",
"published": "2025-03-05T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22493"
},
{
"type": "WEB",
"url": "https://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/etn-va-2024-1009.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-XGGM-6FJ3-47W2
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer list contains each customer's full name, social security number (SSN), address, job title, phone number, Email address, spouse's phone/Email address, and other sensitive information. After the client software authenticates to the server database, the server sends the customer list. There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on Intuit Lacerte 2017, however older versions of Lacerte may be vulnerable.
{
"affected": [],
"aliases": [
"CVE-2018-11338"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-31T14:29:00Z",
"severity": "HIGH"
},
"details": "Intuit Lacerte 2017 for Windows in a client/server environment transfers the entire customer list in cleartext over SMB, which allows attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors. The customer list contains each customer\u0027s full name, social security number (SSN), address, job title, phone number, Email address, spouse\u0027s phone/Email address, and other sensitive information. After the client software authenticates to the server database, the server sends the customer list. There is no need for further exploitation as all sensitive data is exposed. This vulnerability was validated on Intuit Lacerte 2017, however older versions of Lacerte may be vulnerable.",
"id": "GHSA-xggm-6fj3-47w2",
"modified": "2022-05-13T01:49:11Z",
"published": "2022-05-13T01:49:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11338"
},
{
"type": "WEB",
"url": "https://corporateblue.com/your-taxes-are-being-leaked"
},
{
"type": "WEB",
"url": "https://www.themikewylie.com/intuit-lacerte-vulnerability-and-data-exposure-cve-2018-11338-cve-2018-14833"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XGXJ-CFPH-MM49
Vulnerability from github – Published: 2022-12-19 15:30 – Updated: 2022-12-27 18:30** DISPUTED ** A vulnerability was found in whohas. It has been rated as problematic. This issue affects some unknown processing of the component Package Information Handler. The manipulation leads to cleartext transmission of sensitive information. The attack may be initiated remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 667c3e2e9178f15c23d7918b5db25cd0792c8472. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216251. NOTE: Most sources redirect to the encrypted site which limits the possibilities of an attack.
{
"affected": [],
"aliases": [
"CVE-2021-4258"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-19T14:15:00Z",
"severity": "HIGH"
},
"details": "** DISPUTED ** A vulnerability was found in whohas. It has been rated as problematic. This issue affects some unknown processing of the component Package Information Handler. The manipulation leads to cleartext transmission of sensitive information. The attack may be initiated remotely. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 667c3e2e9178f15c23d7918b5db25cd0792c8472. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216251. NOTE: Most sources redirect to the encrypted site which limits the possibilities of an attack.",
"id": "GHSA-xgxj-cfph-mm49",
"modified": "2022-12-27T18:30:20Z",
"published": "2022-12-19T15:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4258"
},
{
"type": "WEB",
"url": "https://github.com/whohas/whohas/commit/667c3e2e9178f15c23d7918b5db25cd0792c8472"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.216251"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHMG-MV86-W89P
Vulnerability from github – Published: 2024-08-15 18:31 – Updated: 2024-08-15 18:31IBM QRadar Network Packet Capture 7.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 289858.
{
"affected": [],
"aliases": [
"CVE-2024-31905"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-15T17:15:17Z",
"severity": "MODERATE"
},
"details": "IBM QRadar Network Packet Capture 7.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 289858.",
"id": "GHSA-xhmg-mv86-w89p",
"modified": "2024-08-15T18:31:51Z",
"published": "2024-08-15T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31905"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/289858"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7160961"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHP8-XQFF-CR9G
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2023-11-16 15:30Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining control of an intermediate DNS server or altering the network DNS configuration, it is possible for an attacker to intercept requests and send their own responses.
{
"affected": [],
"aliases": [
"CVE-2020-7308"
],
"database_specific": {
"cwe_ids": [
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-15T08:15:00Z",
"severity": "MODERATE"
},
"details": "Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining control of an intermediate DNS server or altering the network DNS configuration, it is possible for an attacker to intercept requests and send their own responses.",
"id": "GHSA-xhp8-xqff-cr9g",
"modified": "2023-11-16T15:30:19Z",
"published": "2022-05-24T17:47:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7308"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHQG-J6G5-RP58
Vulnerability from github – Published: 2023-07-06 21:15 – Updated: 2024-10-14 06:30Hitron Technologies CODA-5310’s Telnet function transfers sensitive data in plaintext. An unauthenticated remote attacker can exploit this vulnerability to access credentials of normal users and administrator.
{
"affected": [],
"aliases": [
"CVE-2023-30602"
],
"database_specific": {
"cwe_ids": [
"CWE-311",
"CWE-319"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-02T11:15:10Z",
"severity": "HIGH"
},
"details": "Hitron Technologies CODA-5310\u2019s Telnet function transfers sensitive data in plaintext. An unauthenticated remote attacker can exploit this vulnerability to access credentials of normal users and administrator.",
"id": "GHSA-xhqg-j6g5-rp58",
"modified": "2024-10-14T06:30:42Z",
"published": "2023-07-06T21:15:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30602"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-7084-74e83-1.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.
Mitigation
When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.
Mitigation
When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.
Mitigation
Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.
Mitigation
Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.
CAPEC-117: Interception
An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.
CAPEC-383: Harvesting Information via API Event Monitoring
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.
CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
CAPEC-65: Sniff Application Code
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.