# Cleartext Transmission of Sensitive Information (CWE-319) The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. - Prevalence: High Frequently exploited - Impact: High 5 high-severity rules - Prevention: Documented 6 fix examples **OWASP:** Cryptographic Failures (A02:2021-Cryptographic Failures) - #2 ## Description Many communication channels can be sniffed by attackers during data transmission. When sensitive data is transmitted without encryption, an attacker can intercept and read this information. Secure channels like TLS should be used to protect sensitive data in transit. ## Prevention ### Go Use StartTLS instead of Start to enable HTTPS encryption Use ListenTLS instead of Listen to enable HTTPS encryption Use RunTLS instead of Run to enable HTTPS encryption ### Kubernetes Configure TLS on Ingress resources to encrypt traffic in transit Remove insecure-skip-tls-verify and use proper certificate verification with CA certificates ### Python Use HTTPS for all external requests and enable SSL redirect in frameworks ## Warning Signs - [HIGH] Ingress exposes HTTP traffic without TLS encryption - [HIGH] Kubernetes Ingress resources without TLS configuration - [HIGH] TLS certificate verification disabled (vulnerable to MITM attacks) - [HIGH] when TLS certificate verification is disabled in Kubernetes configurations - [HIGH] use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, ## Consequences - Read Application Data - Bypass Protection Mechanism ## Mitigations - Encrypt all sensitive data before transmission - Use TLS/SSL for all connections that transmit sensitive data - Implement certificate pinning for mobile applications ## Detection - Total rules: 6 - Languages: go, kubernetes, yaml, python ## Rules by Language ### Go (3 rules) - **Echo Running Without TLS** [HIGH]: Echo server running over HTTP instead of HTTPS. - Remediation: Use StartTLS with certificate files for HTTPS. ```go e := echo.New() e.StartTLS(":443", "cert.pem", "key.pem") ``` Learn more: https://shoulder.dev/learn/go/cwe-319/tls-config - **Fiber Running Without TLS** [HIGH]: Fiber server running over HTTP instead of HTTPS. - Remediation: Use ListenTLS with certificate files for HTTPS. ```go app := fiber.New() app.ListenTLS(":443", "cert.pem", "key.pem") ``` Learn more: https://shoulder.dev/learn/go/cwe-319/tls-config - **Gin Running Without TLS** [LOW]: Gin server running over HTTP instead of HTTPS. - Remediation: Use RunTLS with certificate files for HTTPS. ```go r := gin.Default() r.RunTLS(":443", "cert.pem", "key.pem") ``` Learn more: https://shoulder.dev/learn/go/cwe-319/tls-config ### Yaml (2 rules) - **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration. - Remediation: Configure TLS for Ingress resources. ```yaml spec: tls: - hosts: [example.com] secretName: example-tls ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-319/ingress-missing-tls - **Insecure TLS Verification Disabled** [HIGH]: Detects when TLS certificate verification is disabled in Kubernetes configurations. - Remediation: Remove the insecure TLS skip setting and use proper certificate verification. ### Kubernetes (1 rules) - **Ingress Missing TLS Configuration** [HIGH]: Detects Kubernetes Ingress resources without TLS configuration. - Remediation: Configure TLS for Ingress resources. ```yaml spec: tls: - hosts: [example.com] secretName: example-tls ``` Learn more: https://shoulder.dev/learn/kubernetes/cwe-319/ingress-missing-tls ### Python (1 rules) - **HTTP Used Instead of HTTPS** [HIGH]: Detects use of unencrypted HTTP for sensitive operations like API calls, authentication, payment processing, or data transmission. HTTP traffic is sent in cleartext and can be intercepted. Always use HTTPS. - Remediation: Use HTTPS for all external requests and enable SSL redirect. ```python import requests API_URL = "https://api.example.com" response = requests.get(f"{API_URL}/data", verify=True, timeout=10) # Django settings.py SECURE_SSL_REDIRECT = True SESSION_COOKIE_SECURE = True ``` Learn more: https://shoulder.dev/learn/python/cwe-319/http-not-https