weixin_39597987
weixin_39597987
2020-12-01 12:51

Adding Cleartext Transmission of Sensitive Data Classification

The VRT addresses distinct insecure token/credentials transmission issues across multiple categories, but does not address various types of sensitive data, to name a few: PCI information, PII, PHI etc. that might be transmitted using several insecure protocols.

Current entries:


Broken Authentication and Session Management->Weak Login Function->Over HTTP (P3)
Broken Authentication and Session Management->Weak Registration Implementation->Over HTTP (P4)
Sensitive Data Exposure->Token Leakage via Referer->Over HTTP (P4)
Sensitive Data Exposure->Weak Password Reset Implementation->Password Reset Token Sent Over HTTP (P4)
Sensitive Data Exposure->Mixed Content (HTTPS Sourcing HTTP) (P5)
Network Security Misconfiguration->Telnet Enabled->Credentials Required (P4)

Since the VRT does not address unencrypted transmission of various types of sensitive data, it calls for a new catch all entry.

Initial priority proposal:

null - context based, depending on the type of data and transit configuration

Potential classifications: 1. Sensitive Data Exposure->Cleartext Transmission of Sensitive Data (null) 2. Insecure Data Transport->Cleartext Transmission of Sensitive Data (null)

All feedback is welcome

该提问来源于开源项目:bugcrowd/vulnerability-rating-taxonomy

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

5条回答

  • weixin_39597987 weixin_39597987 5月前

    Looks like we are leaning towards Insecure Data Transport->Cleartext Transmission of Sensitive Data. Will implement by EOD if there are no further comments

    点赞 评论 复制链接分享
  • weixin_39712969 weixin_39712969 5月前

    Due to the need for an attacker to be in a privileged position, I think sensitive information being transferred over cleartext should be moved to a P4.

    点赞 评论 复制链接分享
  • weixin_39597987 weixin_39597987 5月前

    Agreed , the majority of sensitive information transmitted in clear text qualifies for P4/P5 based on the type of data, but there are some cases where we recommend a higher priority. We already classify cleartext transmission of credentials on login as P3 and in many cases recommend sensitive data like credit card information or critical application tokens higher than just low risk. The attacker has to be in privileged position which is certainly an obstacle in case of a targeted attack, but we don't disregard the high impact of opportunistic attacks since those are the vast majority in case of this type of data disclosure.

    点赞 评论 复制链接分享
  • weixin_39712969 weixin_39712969 5月前

    I think credentials over cleartext should be a P4 while critical data such as credit card data should be a P3. As it stands, Telnet in use is a P4 and credentials over HTTP is the same attack.

    点赞 评论 复制链接分享
  • weixin_39597987 weixin_39597987 5月前

    Sounds like a good material for a new issue. I'll go ahead and PR this one.

    点赞 评论 复制链接分享

相关推荐