Redirects, but final destination is not an HTTPS URL.

OWASP 2013-A5 OWASP 2017-A6 CWE-601 WSTG-CLNT-04

HTTPS protocol is used for secure communication over a computer network. HTTPS is widely used on the Internet because due to its secure communication. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or formerly, its predecessor, Secure Sockets Layer (SSL). This vulnerability is due to SSL being turned off or the certificate used is not proper. This protocol protects applications from the man-in-the-middle attack (MITM). HTTPS was first implemented in the payment gateway. The other difference between HTTPS and HTTP is that HTTP uses port 80 whereas HTTPS uses 443.

Impact

Using this vulnerability, an attacker can:-

  • redirect the user to a malicious site to steal information/data.
  • show users false data which will, in turn, affect the credibility of the website.

Mitigation / Precaution

Beagle recommends the following:-

  • Turn on SSL certification
    • To obtain certification, generate a CSR (Certificate Signing Request).
    • Contact a certificate provider and request for a certificate.
    • Install the certificate.
    • Enforce SSL connections.
  • Try to set a proper SSL certificate.

Related Articles