This weakness occurs when an application sends sensitive data—such as passwords, authentication tokens, payment information, or personal details—over an…
This weakness occurs when an application sends sensitive data—such as passwords, authentication tokens, payment information, or personal details—over an unencrypted connection. An attacker on the same network or positioned between the user and server can intercept and read this data in plain text. This is one of the most common and preventable vulnerabilities in web applications.
02How It Happens
Applications transmit sensitive information over cleartext when they use unencrypted protocols (HTTP instead of HTTPS, unencrypted email, plain FTP) or fail to encrypt data before sending it. Developers may skip encryption due to performance concerns, misunderstanding of threat models, or simply not considering the risk. Even if a login form itself uses HTTPS, sensitive data sent in subsequent requests, API calls, or background communications over HTTP remains exposed. Network attackers—including those on shared WiFi, compromised routers, or ISP-level adversaries—can passively capture this traffic without any interaction with the application.
03Real-World Impact
Intercepted credentials allow attackers to impersonate legitimate users and gain unauthorized access to accounts. Captured payment card data or personally identifiable information (PII) can be used for fraud, identity theft, or sold on underground markets. Session tokens transmitted in cleartext enable account hijacking. In regulated industries, cleartext transmission of sensitive data violates compliance requirements (PCI-DSS, HIPAA, GDPR) and can result in fines and legal liability. Even a single intercepted password or token can compromise an entire user account and any linked services.
Why it's vulnerable: The connection uses http:// instead of https://, so the username and password are sent in plaintext over the network where they can be intercepted.
Use HTTPS everywhere: Enforce TLS 1.2 or higher for all pages and API endpoints that handle or transmit any sensitive data, not just login pages.
Redirect HTTP to HTTPS: Configure your web server to automatically redirect all HTTP requests to HTTPS to prevent accidental cleartext transmission.
Validate SSL/TLS certificates: In client code, verify server certificates and reject self-signed or expired certificates; do not disable certificate validation.
Encrypt sensitive data at rest and in transit: Even over HTTPS, consider encrypting highly sensitive fields (e.g., payment tokens) before transmission.
Use secure cookies: Set the Secure and HttpOnly flags on session cookies so they are only transmitted over HTTPS and not accessible to JavaScript.
Audit third-party integrations: Ensure any external APIs, webhooks, or background services also use encrypted channels for sensitive data.
06Signs You May Already Be Affected
Check your web server logs and network traffic for HTTP requests (not HTTPS) that include sensitive parameters such as passwords, tokens, or API keys in the URL or request body. Review your application's configuration to confirm all endpoints handling authentication, payment, or personal data are served over HTTPS. If you see mixed content warnings in browsers or find that login forms submit to HTTP endpoints, your application is vulnerable.