Cleartext Protocols
What does this mean ?
Many communication routes can be "sniffed" by attackers during data transfer. For example, network traffic may frequently be sniffed by any attacker with access to a network interface. This considerably reduces the complexity of exploitation by attackers.
What can happen ?
Anyone can read the information by gaining access to the channel being used for communication.
Recommendation
- Before transferring the data, encrypt it with a trusted encryption technique.
- When utilizing SSL with online apps, utilize SSL for the whole session, not just the first login page.
Sample Code
Vulnerable :
using System.Text;
using System.Web;
using System.Web.Security;
public class CleartextHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string accountNo = ctx.Request.QueryString["accountNo"];
// vulnerable code
ctx.Response.Cookies["accountNo"].Value = accountNo;
}
public string Protect(string value, string type)
{
return Encoding.UTF8.GetString(MachineKey.Protect(Encoding.UTF8.GetBytes(value), type));
}
}
Non Vulnerable :
using System.Text;
using System.Web;
using System.Web.Security;
public class CleartextHandler : IHttpHandler
{
public void ProcessRequest(HttpContext ctx)
{
string accountNo = ctx.Request.QueryString["accountNo"];
// Non vulnerable code
ctx.Response.Cookies["AccountNo"].Value = Protect(accountNo, "Account number");
}
public string Protect(string value, string type)
{
return Encoding.UTF8.GetString(MachineKey.Protect(Encoding.UTF8.GetBytes(value), type));
}
}
Vulnerable :
public static void main(String[] args) {
{
String data;
PasswordAuthentication creds =
new PasswordAuthentication("user", "P@ssword".toCharArray());
data = creds.getUserName() + ":" + new String(creds.getPassword());
// Vulnerable code
response.addCookie(new Cookie("auth", data));
}
}
Non Vulnerable :
public static void main(String[] args) {
{
String data;
PasswordAuthentication creds =
new PasswordAuthentication("user", "P@ssword".toCharArray());
String salt = "ThisIsMySalt";
MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
messageDigest.reset();
String credsToHash =
creds.getUserName() + ":" + creds.getPassword();
byte[] hashedCredsAsBytes =
messageDigest.digest((salt+credsToHash).getBytes("UTF-8"));
data = bytesToString(hashedCredsAsBytes);
// Non vulnerable code
response.addCookie(new Cookie("auth", data));
}
}
Vulnerable :
app.get('/remember-password', function (req, res) {
let passWord = req.param("password");
// vulnerable code
res.cookie("password", passWord);
});
Non Vulnerable :
var crypto = require('crypto'),
const password = getPassword();
function encrypt(text){
var cipher = crypto.createCipher('aes-256-ctr', password);
return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');
}
app.get('/remember-password', function (req, res) {
let pw = req.param("password");
// Non vulnerable code
res.cookie("password", encrypt(pw));
});