codeql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp at 4de69c70a8de32cff6e050fee7fedae0bef11e13 · paldepind/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>

<p>
Sensitive information that is transmitted without encryption may be accessible
to an attacker.
</p>

</overview>
<recommendation>

<p>
Ensure that sensitive information is always encrypted before being transmitted
over the network. In general, decrypt sensitive information only at the point
where it is necessary for it to be used in cleartext. Avoid transmitting
sensitive information when it is not necessary to.
</p>

</recommendation>
<example>

<p>
The following example shows three cases of transmitting information. In the
'BAD' case, the data transmitted is sensitive (a password) and is not encrypted
as it occurs as a URL parameter. In the 'GOOD' cases, the data is either not
sensitive, or is protected with encryption. When encryption is used, take care
to select a secure modern encryption algorithm, and put suitable key management
practices into place.
</p>

<sample src="CleartextTransmission.rs" />

</example>
<references>

<li>
  OWASP Top 10:2021:
  <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
</li>
<li>
  OWASP:
  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
</li>

</references>
</qhelp>