1. Home
  2. CWE Database
  3. CWE-523
Base · Medium

CWE-523: Unprotected Transport of Credentials

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

CWE-523 · Base Level ·1 Mitigations

Description

Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

Potential Impact

Access Control

Gain Privileges or Assume Identity

Mitigations & Prevention

OperationSystem Configuration

Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to help prevent phishing attacks, make sure that SSL serves the login page. SSL allows the user to verify the identity of the server to which they are connecting. If the SSL serves login page, the user can be certain they are talking to the proper end system. A phishing attack would typically redirect a

Detection Methods

  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-522: Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauth...

CWE-319: Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by...

Taxonomy Mappings

  • Software Fault Patterns: SFP23 — Exposed Data

Frequently Asked Questions

What is CWE-523?

CWE-523 (Unprotected Transport of Credentials) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

How can CWE-523 be exploited?

Attackers can exploit CWE-523 (Unprotected Transport of Credentials) to gain privileges or assume identity. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-523?

Key mitigations include: Enforce SSL use for the login page or any page used to transmit user credentials or other sensitive information. Even if the entire site does not use SSL, it MUST use SSL for login. Additionally, to h

What is the severity of CWE-523?

CWE-523 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.