CWE-319: Cleartext Transmission of Sensitive Information
Learn about CWE-319 (Cleartext Transmission of Sensitive Information), its security impact, exploitation methods, and prevention guidelines.
What is Cleartext Transmission of Sensitive Information?
• Overview: Cleartext Transmission of Sensitive Information (CWE-319) occurs when sensitive data, such as passwords, credit card numbers, or personal information, is sent over a network in a readable format. This makes it susceptible to interception by unauthorized parties.
• Exploitation Methods:
- Attackers can exploit this vulnerability by capturing network traffic using packet sniffers to read the unencrypted data.
- Common attack patterns include Man-in-the-Middle (MitM) attacks, where attackers intercept communications, and eavesdropping on unsecured Wi-Fi networks.
• Security Impact:
- Direct consequences of successful exploitation include unauthorized access to sensitive data and potential data breaches.
- Potential cascading effects might include identity theft, financial fraud, and further compromise of user accounts.
- Business impact could involve legal penalties, loss of customer trust, and damage to the organization's reputation.
• Prevention Guidelines:
- Specific code-level fixes include implementing Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encrypt data during transmission.
- Security best practices involve enforcing encryption protocols across all data transmission channels and regularly updating cryptographic libraries.
- Recommended tools and frameworks include using libraries such as OpenSSL for secure communication and employing HTTPS for web applications.
Corgea can automatically detect and fix Cleartext Transmission of Sensitive Information in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit:
Affected Languages: Not Language-Specific
Affected Technologies: Cloud Computing, Mobile, ICS/OT, System on Chip, Test/Debug Hardware
Vulnerable Code Example
const http = require('http');
function sendSensitiveData(data) {
// WARNING: Sending sensitive data over HTTP in cleartext
const options = {
hostname: 'example.com',
port: 80, // HTTP port
path: '/submit',
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
};
const req = http.request(options, (res) => {
console.log(`STATUS: \${res.statusCode}`);
});
// Data is being sent in cleartext, vulnerable to interception
req.write(JSON.stringify(data));
req.end();
}
How to fix Cleartext Transmission of Sensitive Information?
To prevent the transmission of sensitive data in cleartext, switch from the http module to the https module in Node.js. The https module uses TLS/SSL to secure data in transit, ensuring that sensitive information is encrypted and protected from interception.
Fixed Code Example
const https = require('https');
function sendSensitiveData(data) {
// FIX: Use HTTPS to encrypt the data during transmission
const options = {
hostname: 'example.com',
port: 443, // HTTPS port
path: '/submit',
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
};
const req = https.request(options, (res) => {
console.log(`STATUS: \${res.statusCode}`);
});
// Data is now encrypted and secure during transmission
req.write(JSON.stringify(data));
req.end();
}
These examples demonstrate how to secure sensitive data transmissions by using encryption protocols like TLS over HTTPS, ensuring data is protected during transfer over networks. This prevents attackers from intercepting sensitive information such as passwords or personal data.