This vulnerability is encountered when an application does not redirect to HTTPS of the same site. When this situation is encountered, it opens a whole new world for “Man in the middle” (MITM) attacks. It is necessary to implement HTTPS even if there is no sensitive data communication. HTTPS is required for viewing progressive web applications. HTTPS protects from attackers and legitimate intrusive companies (like ISP). Without HTTPS, an attacker can trick the end users into giving sensitive information to the attacker. He can even force the end users to install malware into the system. HTTPS stops attackers from passively listening to the communication.
The following URL is an example of HTTP. The below URL is prone to MITM attacks.
The following URL is an example of HTTPS.
The following code is an example of this vulnerability.
The following are the impacts of this vulnerability:-
Session hijacking attacks - An HTTP request that includes a session ID cookie is subject to session hijacking attacks. Session hijacking (or cookie hijacking) is exploitation of valid computer sessions. It is essential to allow HTTP redirect to HTTPS, that cookies are marked as secure.
Man-In-The-Middle (MITM) attack
Using this vulnerability, an attacker can:-
Beagle recommends the following fixes:-