Comments (7)
I would consider this to be the same as login over HTTP. Both require an active man in the middle, and i'd change both to P4 for that matter.
from vulnerability-rating-taxonomy.
I agree with @shpendk . This is same as login over HTTP and both should have the same priority.
from vulnerability-rating-taxonomy.
+1 for P4 for From HTTP to HTTPS
from vulnerability-rating-taxonomy.
I feel like the difference between these two is significant enough to warrant one priority point up in favor of Over HTTP
variant. Let's consider the following:
- Sending credentials in clear text (
Over HTTP
) because of the nature of WIFI network traffic allows a simple eavesdropper to steal them. They literally fly in the air. Given how common WIFI networks are, this is a serious problem. - Sending credentials from HTTP to HTTPS on the other hand requires a motivated attacker that is capable of establishing an active proxy, which lowers the risk.
from vulnerability-rating-taxonomy.
But is actively modifying a man in the middle connection that much harder than only eavesdropping? I would not think so.
from vulnerability-rating-taxonomy.
I also agree that both of these are similar. But, I would prioritize them both as P3 considering the easiness of executing such an attack.
from vulnerability-rating-taxonomy.
Looks like we won't be needing a new entry as the majority of us seem to agree that these variants pose the same risk. It's definitely great that we had this discussion, so we could shape our position. If anybody feels strongly that we should be downgrading the priority on the existing entry please feel free to make your case before we close this Issue.
from vulnerability-rating-taxonomy.
Related Issues (20)
- HTTP Request Smuggling HOT 2
- Addition - HTML Content Injection HOT 1
- Update - PII Leakage updated to Sensitive Information Leak HOT 3
- Why Blind XSS can't be P1 While Massive PII is leakage? HOT 1
- SSRF as it's own top-category HOT 2
- infinite 301 HOT 4
- Text injection - needs higher priority HOT 4
- Content spoofing - needs higher priority HOT 1
- New IDOR Variants HOT 10
- Change of "Sensitive Data Exposure > Disclosure of Secretes > Intentionally Public, Sample or Invalid"
- Add unnecessary open port on server misconfiguration in P1 HOT 1
- Add LLM VRT Entries HOT 11
- Server Security Misconfiguration > Unsafe File Upload > File Extension Filter Bypass should be higher severity HOT 5
- Server side Language And Configured Sensitive Data Blank Files > Disclosure of Secrets > For Public Accessable Assets HOT 1
- read-only IDOR P3 requires differentiation HOT 3
- Update VRT language to remove ambiguity between subcategories HOT 1
- P5 - Server Security Misconfiguration -> Missing Subresource Integrity (SRI) Checks
- Edit/Modify Non-Sensitive Information IDOR should be categorzed as P4
- What priority is account takeover? HOT 1
- VRT Addition - Hardware and Physical Security HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vulnerability-rating-taxonomy.