Menu
Testing for Credentials Transported over an Encrypted Channel
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
| name | wstg-athn-01 |
| description | Testing for Credentials Transported over an Encrypted Channel |
| category | authentication |
| owasp_id | WSTG-ATHN-01 |
| version | 1.0.0 |
| author | cyberstrike-official |
| tags | ["authentication","login","credentials","mfa","wstg","athn"] |
| tech_stack | [] |
| cwe_ids | ["CWE-522"] |
| chains_with | [] |
| prerequisites | [] |
| severity_boost | {} |
WSTG-ATHN-01
Testing for Credentials Transported over an Encrypted Channel
This test verifies that user credentials (usernames, passwords, tokens) are transmitted over encrypted channels (HTTPS/TLS) to prevent interception by attackers. Transmitting credentials over unencrypted HTTP exposes them to man-in-the-middle attacks, network sniffing, and session hijacking. All authentication-related traffic must be encrypted.
| Issue | Risk |
|---|---|
| HTTP login page | Credential interception |
| Mixed content (HTTPS page, HTTP form action) | Form hijacking |
| HTTP redirects before HTTPS | SSL stripping |
| Insecure API endpoints | Token theft |
# Check if login page is served over HTTPS
curl -sI "http://target.com/login" | head -20
curl -sI "https://target.com/login" | head -20
# Check for HTTP to HTTPS redirect
curl -sI -L "http://target.com/login" 2>&1 | grep -i "location\|http"
# Verify no mixed content
curl -s "https://target.com/login" | grep -i "http://"
# Get login form and check action URL
curl -s "https://target.com/login" | grep -i "<form" | grep -i "action"
# Check if form action is HTTPS
curl -s "https://target.com/login" | \
grep -oP 'action="[^"]*"' | \
head -5
# Look for JavaScript that might change form action
curl -s "https://target.com/login" | grep -i "form.action\|submit"
# Attempt login and capture request details
curl -v -X POST "https://target.com/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"test","password":"test123"}' 2>&1 | \
grep -i "< \|> \|ssl\|tls"
# Check for secure cookies
curl -sI -X POST "https://target.com/api/login" \
-H "Content-Type: application/json" \
-d '{"username":"test","password":"test123"}' | \
grep -i "set-cookie"
# Verify Secure flag on session cookies
# Check if HTTP endpoints are accessible
endpoints=(
"/login"
"/api/login"
"/api/auth"
"/register"
"/password-reset"
"/api/token"
)
for endpoint in "${endpoints[@]}"; do
http_status=$(curl -s -o /dev/null -w "%{http_code}" "http://target.com$endpoint")
https_status=$(curl -s -o /dev/null -w "%{http_code}" "https://target.com$endpoint")
echo "$endpoint - HTTP: $http_status, HTTPS: $https_status"
if [ "$http_status" != "301" ] && [ "$http_status" != "302" ] && [ "$http_status" != "000" ]; then
echo " [WARNING] HTTP endpoint accessible without redirect"
fi
done
# Test TLS version support
nmap --script ssl-enum-ciphers -p 443 target.com
# Check for weak protocols
openssl s_client -connect target.com:443 -ssl3 2>&1 | head -5
openssl s_client -connect target.com:443 -tls1 2>&1 | head -5
openssl s_client -connect target.com:443 -tls1_1 2>&1 | head -5
openssl s_client -connect target.com:443 -tls1_2 2>&1 | head -5
openssl s_client -connect target.com:443 -tls1_3 2>&1 | head -5
# Check certificate validity
openssl s_client -connect target.com:443 -servername target.com 2>/dev/null | \
openssl x509 -noout -dates
# Check for HSTS header
curl -sI "https://target.com" | grep -i "strict-transport-security"
# Verify HSTS parameters
# Should include: max-age (long duration), includeSubDomains, preload
# Check HSTS preload status
# https://hstspreload.org/?domain=target.com
# Check API endpoints for HTTPS
api_endpoints=(
"/api/v1/auth/login"
"/api/v1/auth/token"
"/api/v1/auth/refresh"
"/api/oauth/token"
"/oauth2/token"
)
for endpoint in "${api_endpoints[@]}"; do
# Test HTTP (should fail or redirect)
http_response=$(curl -s -o /dev/null -w "%{http_code}" \
"http://target.com$endpoint")
# Test HTTPS
https_response=$(curl -s -o /dev/null -w "%{http_code}" \
"https://target.com$endpoint")
echo "$endpoint"
echo " HTTP: $http_response (should be 301/302 or unavailable)"
echo " HTTPS: $https_response"
done
| Tool | Description | Usage |
|---|---|---|
| SSLyze | TLS configuration analyzer | sslyze target.com |
| testssl.sh | TLS testing | ./testssl.sh target.com |
| nmap | SSL enumeration | nmap --script ssl-* |
| Tool | Description |
|---|---|
| Wireshark | Network traffic analysis |
| Burp Suite | Proxy with TLS inspection |
| mitmproxy | MITM proxy |
#!/bin/bash
TARGET=$1
echo "=== CREDENTIAL TRANSPORT SECURITY TEST ==="
echo "Target: $TARGET"
echo ""
# 1. Check HTTPS availability
echo "[+] Checking HTTPS availability..."
https_status=$(curl -s -o /dev/null -w "%{http_code}" "https://$TARGET")
if [ "$https_status" == "000" ]; then
echo " [FAIL] HTTPS not available!"
exit 1
else
echo " [OK] HTTPS available (Status: $https_status)"
fi
# 2. Check HTTP redirect
echo ""
echo "[+] Checking HTTP to HTTPS redirect..."
http_location=$(curl -sI "http://$TARGET" | grep -i "^location:" | cut -d' ' -f2)
if echo "$http_location" | grep -qi "https://"; then
echo " [OK] HTTP redirects to HTTPS"
else
echo " [WARNING] HTTP may not redirect to HTTPS"
fi
# 3. Check HSTS
echo ""
echo "[+] Checking HSTS header..."
hsts=$(curl -sI "https://$TARGET" | grep -i "strict-transport-security")
if [ -n "$hsts" ]; then
echo " [OK] HSTS enabled: $hsts"
else
echo " [WARNING] HSTS not enabled"
fi
# 4. Check login form
echo ""
echo "[+] Checking login form..."
login_form=$(curl -s "https://$TARGET/login" 2>/dev/null)
if echo "$login_form" | grep -qi 'action="http://'; then
echo " [FAIL] Login form submits over HTTP!"
elif echo "$login_form" | grep -qi 'action="https://\|action="/\|action=""'; then
echo " [OK] Login form submits securely"
else
echo " [INFO] Could not determine form action"
fi
# 5. Check for mixed content
echo ""
echo "[+] Checking for mixed content..."
mixed=$(curl -s "https://$TARGET/login" | grep -i "http://" | grep -v "https://")
if [ -n "$mixed" ]; then
echo " [WARNING] Potential mixed content found"
else
echo " [OK] No obvious mixed content"
fi
# 6. Check TLS version
echo ""
echo "[+] Checking TLS versions..."
for version in tls1 tls1_1 tls1_2 tls1_3; do
result=$(echo | timeout 5 openssl s_client -connect "$TARGET:443" -$version 2>&1)
if echo "$result" | grep -q "Cipher is"; then
echo " $version: Supported"
else
echo " $version: Not supported"
fi
done
# 7. Check secure cookie flags
echo ""
echo "[+] Checking cookie security..."
cookies=$(curl -sI -X POST "https://$TARGET/login" \
-d "username=test&password=test" 2>/dev/null | \
grep -i "set-cookie")
if echo "$cookies" | grep -qi "secure"; then
echo " [OK] Secure flag present on cookies"
else
echo " [WARNING] Secure flag may be missing"
fi
if echo "$cookies" | grep -qi "httponly"; then
echo " [OK] HttpOnly flag present"
else
echo " [WARNING] HttpOnly flag may be missing"
fi
echo ""
echo "[+] Test complete"
# Nginx - Redirect all HTTP to HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# Strong TLS configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
}
# Nginx HSTS header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Apache HSTS header
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Python/Flask
app.config.update(
SESSION_COOKIE_SECURE=True,
SESSION_COOKIE_HTTPONLY=True,
SESSION_COOKIE_SAMESITE='Lax'
)
# Set secure cookies
response.set_cookie(
'session',
value=session_token,
secure=True,
httponly=True,
samesite='Lax'
)
# Flask - Redirect HTTP to HTTPS
from flask import Flask, redirect, request
@app.before_request
def enforce_https():
if not request.is_secure and not app.debug:
url = request.url.replace('http://', 'https://', 1)
return redirect(url, code=301)
| Finding | CVSS | Severity |
|---|---|---|
| Credentials over HTTP | 7.5 | High |
| No HTTP to HTTPS redirect | 5.3 | Medium |
| Missing HSTS | 4.3 | Medium |
| Weak TLS configuration | 5.3 | Medium |
| Missing Secure cookie flag | 4.3 | Medium |
| CWE ID | Title | Description |
|---|---|---|
| CWE-319 | Cleartext Transmission of Sensitive Information | HTTP credentials |
| CWE-523 | Unprotected Transport of Credentials | Missing encryption |
| CWE-614 | Sensitive Cookie Without Secure Flag | Cookie theft |
[ ] Login page served over HTTPS
[ ] Login form action is HTTPS
[ ] HTTP redirects to HTTPS
[ ] HSTS header present
[ ] HSTS max-age sufficient (>1 year)
[ ] No mixed content on auth pages
[ ] TLS 1.2+ only
[ ] Strong cipher suites
[ ] Secure flag on session cookies
[ ] HttpOnly flag on session cookies
[ ] API auth endpoints HTTPS only
[ ] Certificate valid and not expired
[ ] Findings documented
[ ] Remediation recommendations provided