sec-notes
  • Whoami
  • WEP-Pen
    • Reconnaissance
    • Enumeration
    • OWSAP TOP 10
      • Cryptographic Failures
        • Weak Encoding for Password
        • Improper Following of a Certificate's Chain of Trust
          • Understanding Digital Certificates : Self-Signed and CA-Signed Certificate **
          • Transport Layer Security (TLS) and SSL **
        • Clear Text Transmission Of Sensitive Data
          • SSLStripping **
      • Broken Access Control
        • Path Traversal
        • Sensitive Cookie with Improper SameSite Attribute
        • Link Following
        • Incorrect Default Permissions
        • Information disclosure
        • CSRF
          • csrf checklist
        • 403 bypass
        • Exposure of WSDL File Containing Sensitive Information
        • bussiness logic checklist
        • 2FA bypass checklist
        • admin panal checklist
        • idor checklist
        • Authentication checklist
        • reset_password_checklist
        • ATO
      • Injection
        • Cross Site Scripting
          • Cross Site Scripting
          • Exploitation
          • Protections
        • SQL Injection
          • SQL Injection Overview
        • NoSQL Injection
        • CRLF Injection
        • XML Injection
      • Insecure Design
      • Security Misconfiguration
        • CORS Miscofigration
        • Mail Server Misconfiguration
      • Vulnerable and Outdated Components
      • Identification and Authentication Failures
      • Software and Data Integrity Failures
      • Security Logging and Monitoring Failures
      • Server-Side Request Forgery (SSRF)
    • Checklists
      • mass assignment
      • aem misconfiguration
      • exif_geo
      • xss
      • Session Management
      • Authorization
      • cookie
      • Django
      • Symfony
      • json
      • bypass rate limit
      • Rce
      • Register Page
    • JWT Hacking
    • GraphQL Vulnerabilities
    • PostMessage Vulnerabilities
      • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - part 1
      • Bypassing SOP with Iframes - part 2
      • Steal postmessage modifying iframe location
  • API-Pen
    • API Discovry
    • Reverse Engineering API Documentation
    • Excessive Data Exposure
    • Vulnerability Scanning
    • API Authentication Attacks
      • Classic Authentication Attacks
      • API Token Attacks
    • API Authorization Attacks
      • Broken Object Level Authorization (BOLA)
      • Broken Function Level Authorization
    • Improper Assets Management
    • Mass Assignment
    • SSRF
    • Injection Attacks in API
    • Evasive Maneuvers
  • NET-Pen
    • Active Directory Pentesting
      • Active Directory Components
      • Initial Attack Vectors
        • LLMNR Poisoning
        • SMB Relay Attacks
        • IPv6 Attacks ( IPv6 DNS Takeover )
        • Printer Hacking
        • Methodology
        • Some Other Attacks
          • Zerologon (CVE-2020-1472)
          • PrintNightmare (CVE-2021-1675)
      • Post-Compromise Attacks
        • Pass Attacks
        • Kerberoasting Attack
        • Token Impersonation Attack
        • LNK File Attack
        • GPP / cPassword Attacks
        • Mimikatz
        • Methodology
      • We've Compromised the Domain
        • Dumping the NTDS.dit
        • Golden Ticket Attacks
        • Methodology
      • Case Study
      • Password Attacks
    • Attack Vectors by Port
      • FTP 21
      • SSH 22
      • Telnet 23 - 2323
      • SMTP 25
      • DNS 53
      • Kerberos 88
      • POP 110-995
      • RPC 111
      • Ident 113
      • NNTP 119
      • NetBIOS 137-138
      • SMB / Samba 135-139, 445
      • MSRPC 135
      • SNMP 161
      • LDAP 389,636
      • Modbus 502
      • OpenSSL 1337
      • Ms-SQL 1433
      • Oracle Listener 1521 1522 1529
      • NFS 2049
      • MySql 3306
      • RDP 3389
      • ADB Android Debug Bridge 5555
      • WinRM 5985 5986
      • VNC 5800 5900
      • Redis 6379
      • Unreal IRC 6667
      • Tomcat 8080
      • MongoDB 27017
      • http 80
    • Network basics
    • Information Gathering
    • Privilege Escalation
      • Windows Privilege Escalation
      • Linux Privilege Escalation
  • write-ups
    • How i found a Privilege Escalation via Impersonation Features feature
    • How I Bypassed SAML Authentication, Leading to Admin Panel Access.
    • How I was able to discover ATO Via IDOR vulnerability
    • Easy full Account Takeover via Facebook OAuth Misconfiguration
Powered by GitBook
On this page
  1. WEP-Pen
  2. OWSAP TOP 10
  3. Cryptographic Failures

Clear Text Transmission Of Sensitive Data

PreviousTransport Layer Security (TLS) and SSL **NextSSLStripping **

Last updated 1 month ago

Some applications transmit passwords over unencrypted connections, making them easy targets for interception. Attackers can exploit this by eavesdropping on network traffic, especially over public Wi-Fi, corporate, or home networks with compromised devices.

Many communication channels can be sniffed by anyone with network access, making exploitation remarkably easy.

We've all seen HTTP vs. HTTPS, but many don’t realize the difference. If your website handles logins, transactions, or user data, HTTPS is a must. If it's purely static (no sensitive interactions), HTTP may be fine—but HTTPS is still recommended for security and trust.

Difference Between HTTP and HTTPS

HTTP :

  • An application-layer protocol for communication between web browsers and servers.

  • Lacks data integrity—attackers can tamper with transmitted data.

  • Transmits data in plaintext, making it readable to anyone intercepting the traffic.

HTTPS :

  • Encrypts communication to protect data integrity and privacy.

  • Prevents attackers from tampering with data exchanged between websites and users.

Difference between HTTP & HTTPS

HTTPS uses SSL/TLS encryption, which secures data with a public key (widely known) and a private key (kept secret by the recipient).

How to find this vulnerability ?

  1. Your target website is using http on the login panel

2. Start WireShark for intercepting traffic

Here I have selected Wi-Fi because my PC is connected to Wi-Fi

3. Start packet capturing in WireShark and login to your website

Here you can see the username but the password is hidden, let’s check in the WireShark.

4. Go to WireShark and apply this filter : http.cookie

Any attacker can steal the sensitive information if he/she is in the network.

So this was simple and known to many people but what if every GET request is secured ? The website you visit is using HTTPS, so now what to do ? Have you ever tried for POST request ? Let’s Check it.

On the same website I saw the page was having https://www.website.com but when I intercepted the request using burp suite and I saw the POST request for saving the data was using HTTP protocol and I again intercepted it using WireShark and every thing was visible

Exploiting POST Method :

  1. Your website is using HTTPS for every GET request

This page was using HTTPS when you visit it. Now this is private information which is visible to user itself but not to an attacker as the GET request is secure by HTTPS protocol

2. Fill the form and Intercept the request using burp suite to check if the POST request is using HTTPS or HTTP for saving or transferring data

3. Now check WireShark logs for the same request using same filter : http.cookie

NOTE : You can perform this attack on POST requests like changing password, sending messages, publishing private post, transferring payments etc.

Reports :

https://hackerone.com/reports/214571https://hackerone.com/reports/813159 https://hackerone.com/reports/2337938 https://hackerone.com/reports/1987680https://hackerone.com/reports/173268 https://hackerone.com/reports/1565622https://hackerone.com/reports/1213181 https://hackerone.com/reports/1730660https://hackerone.com/reports/751581 https://hackerone.com/reports/2129769

Secure Socket Layer
Login Panel without HTTPS
WireShark
Logging In
WireShark Logs
HTTPS GET request
Burp Suite HTTP POST request
WireShark Logs