CWE-319
ISO27001-A.14.1.3
OWASP 2013-A6
OWASP 2017-A3

Passive Mixed Content over HTTPS

Severity:
Low
Summary

Invicti detected a mixed content loaded over HTTP within an HTTPS page.

Impact

If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.

A man-in-the-middle attacker can intercept the request and also rewrite the response to include malicious or deceptive content. This content can be used to steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.

Remediation

There are two technologies to defense against the mixed content issues:

  1. HTTP Strict Transport Security (HSTS) is a mechanism that enforces secure resource retrieval, even in the face of user mistakes (attempting to access your web site on port 80) and implementation errors (your developers place an insecure link into a secure page)
  2. Content Security Policy (CSP) can be used to block insecure resource retrieval from third-party web sites

Last but not least, you can use "protocol relative URLs" to have the user's browser automatically choose HTTP or HTTPS as appropriate, depending on which protocol the user is connected with. For example;

a protocol relative URL to load an image would look like <img src="//example.com/image.png">. The browser will automatically add either "http:" or "https:" to the start of the URL, whichever is appropriate.

Required Skills for Successful Exploitation
Actions To Take
Vulnerability Index

You can search and find all vulnerabilities

Select Vulnerability
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Featured resources

Blog

Strengthening enterprise application security: Invicti acquires Kondukto

Blog

Modern AppSec KPIs: Moving from scan counts to real risk reduction

Blog

Friends don’t let friends shift left: Shift smarter with DAST-first AppSec

Blog

Vibe talking: Dan Murphy on the promises, pitfalls, and insecurities of vibe coding

Blog

What lies ahead for CMS.

Blog

How to integrate CMS with other tools.

Blog

Improve user experience through CMS.

Blog

How CMS can benefit e-commerce.

Blog

Stay updated on CMS trends.

Blog

Tips for improving CMS performance.

Blog

Learn how to secure your CMS.

Blog

Explore the advantages of CMS.

Blog

A comprehensive guide to CMS.

Build your resistance to threats. And save hundreds of hours each month.