Risks of Using HTTP For Your Web Application
For modern web applications, the average user will interact over a secure protocol for communication (i.e. HTTPS, or Hypertext Transfer Protocol Secure). However, it’s not uncommon to encounter a web application hosted in an internal corporate environment using the less secure HTTP (Hypertext Transfer Protocol) which communicates in cleartext. While it may not seem like a big deal since the application is not exposed publicly to the Internet, we will briefly examine the risks of using HTTP for your web application.
Overview of HTTP vs. HTTPS
As mentioned above, HTTP communicates over cleartext. This means that any data you send from your device (client) to the site (server) can be captured and viewed by anyone on the same network as you. Obviously, this is problematic. The graphic below shows the basic flow of a user logging into an application:
In the above image, we can see an Administrator user logging into a website with the username “Admin” and the password “SecurePassword123!”. We can see this because of the cleartext communication that HTTP allows. Fortunately, most sites publicly exposed to the Internet do not communicate over HTTP anymore. The graphic below is a rudimentary view if an application communicates over HTTPS:
Note how the previously viewed values of the username and password are now impossible to view. Additionally, the response from the server which contains a “PHPSESSID”, a common authorization value which we now cannot see. This means an attacker cannot leverage this session cookie value to issue requests from the context of a victim user. This is always the ideal scenario and is best practice for security. Let’s look at what this looks like from a practical standpoint. An attacker will realistically see the below images, HTTP vs. HTTPS:
“But wait, where is the password in the left image? I don’t see it…”. Great observation! The above left image displays an Authorization request header in the form of “Basic Authentication”. Basic Authentication (Basic Auth) over HTTP is encoded, not encrypted (that’s a whole different blog post). Basic Auth can be decoded as it is encoded in Base64. While there are many ways to decode Base64, I prefer to use a website called CyberChef:
The image on the right cannot be decoded, as it uses encryption. The distinction of encryption vs encoding is very important, but without diving into that completely just know that encryption is much more important for information security.
HTTPS Best Practices
Now that we the know risks of using HTTP for your web application, let’s briefly examine some security best practices for deploying HTTPS. HTTPS was created in 1994 by NetScape, and the TLS protocol was officially submitted as RFC 2246 in January 1999. As you can imagine, technology has changed drastically since then and so have the protocols to secure communications for your favorite websites. So where do we stand today?
As of the creation of this blog post, Lucid Security recommends avoiding using legacy protocols (SSLv2, SSLv3, TLSv1.0, and TLSv1.1) in favor of TLSv1.2 or higher with strong cipher suites to prevent downgrade attacks and other known cryptographic weaknesses. A common finding when Lucid Security conducts a web application penetration test are violations of the OWASP A2 Security Control – Cryptographic Failures. In most cases, it is a minor security hygiene weakness (i.e. using TLSv1.0 instead of TLSv.1.2). Lucid Security strongly encourages organizations to follow security best practice to obtain the most ideal clean bill of health possible.
Summary
Even if an application is internally hosted, the risks of using HTTP for your web application are too great. Cleartext HTTP traffic can be obtained by very basic users within a network. ‘Introduction to Networking’ classes are often now taught in high schools, which introduce tools such as Wireshark or tcpdump. Both of these tools are capable of capturing cleartext communication via HTTP. Further, advanced threat actors are patient and will sniff traffic and attempt to “stay under the radar”. Sniffing traffic is a passive technique that can help prevent an attacker from getting caught. As such, internally hosted web applications should always communicate over HTTPS to prevent credentials and sensitive information from being leaked.
How Lucid Security Can Help
Lucid Security consists of seasoned security professionals with decades of experience in security and penetration testing. Our unique and competent perspective enables us to enhance clients’ security environments. Please contact us today to learn more about our services and how we can make your organization more secure.
