codeql/rust/ql/src/queries/security/CWE-311/CleartextTransmission.qhelp at fb718660d98f7a651ce5ddfdd22b4869c37a4392 · paldepind/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>
<overview>

<p>
Sensitive information that is transmitted without encryption may be accessible
to an attacker.
</p>

</overview>
<recommendation>

<p>
Ensure that sensitive information is always encrypted before being transmitted
over the network. In general, decrypt sensitive information only at the point
where it is necessary for it to be used in cleartext. Avoid transmitting
sensitive information when it is not necessary to.
</p>

</recommendation>
<example>

<p>
The following example shows three cases of transmitting information. In the
'BAD' case, the transmitted data is sensitive (a credit card number) and is
included as cleartext in the URL. URLs are often logged or otherwise visible in
cleartext, and should not contain sensitive information.
</p>

<p>
In the 'GOOD' cases, the data is either not sensitive, or is protected with
encryption. When encryption is used, take care to select a secure modern
encryption algorithm, and put suitable key management practices into place.
</p>

<sample src="CleartextTransmission.rs" />

</example>
<references>

<li>
  OWASP Top 10:2021:
  <a href="https://owasp.org/Top10/A02_2021-Cryptographic_Failures/">A02:2021 � Cryptographic Failures</a>.
</li>
<li>
  OWASP:
  <a href="https://cheatsheetseries.owasp.org/cheatsheets/Key_Management_Cheat_Sheet.html">Key Management Cheat Sheet</a>.
</li>

</references>
</qhelp>