Transmit sensitive information in clear text

Others 2021-03-28 03:18:23 views: null

1. What is plaintext transmission

       To put it simply, plaintext transmission means that when we submit sensitive data on the website to the server without relevant encryption processing, the attacker can obtain these unencrypted sensitive data through man-in-the-middle attacks (hijacking, sniffing, etc.) . After the attacker obtains the data, he can use the information to enter the application system as a legitimate user—maybe even enter the background of the application system. Once in the application system, he can obtain more sensitive data. , And have a better chance of discovering more vulnerabilities. Clear text transmission only occurs in the HTTP protocol .

       Sometimes the website uses https, but after we captured the packet, we found that the username and password fields were still transmitted in clear text. It is because https (ssl) encryption occurs between the application layer and the transport layer, so the data seen at the transport layer is encrypted, and the http post we captured is the data at the application layer. At this time, there is no After encryption. These plaintext information are actually your local data. Only the client and the server can get the plaintext of encrypted data, and the communication process from the client to the server is secure. So this is not a clear text transmission

2. Examples of plaintext transmission

       Prerequisite: The protocol is http

       By capturing the request of the website login page, the tool can use burp, wireshark, filder, etc. to analyze whether the value of the relevant password parameter in the data packet is plain text.


3. Defense

1. The user login information is encrypted for transmission. For example, the password is encrypted with a secure algorithm before transmission and then transmitted. The available algorithms include: irreversible hash algorithm plus salt (4 digits and above random numbers, generated by the server); secure symmetric encryption Algorithms, such as AES (128, 192, 256 bits), and the client key must be secure and cannot be cracked or read; asymmetric encryption algorithms, such as RSA (not less than 1024 bits), SM2, etc.

2. Use HTTPS/SSL to ensure the security of transmission.

Guess you like

Origin blog.csdn.net/qq_44159028/article/details/115057625
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com