Login pages not using adequate measures to protect the user name and password while they are in transit from the client to the server.
Time of Introduction
Architecture and Design
Technical Impact: Gain privileges / assume
Phases: Operation; System Configuration
Enforce SSL use for the login page or any page used to transmit user
credentials or other sensitive information. Even if the entire site does
not use SSL, it MUST use SSL for login. Additionally, to help prevent
phishing attacks, make sure that SSL serves the login page. SSL allows
the user to verify the identity of the server to which they are
connecting. If the SSL serves login page, the user can be certain they
are talking to the proper end system. A phishing attack would typically
redirect a user to a site that does not have a valid trusted server
certificate issued from an authorized supplier.
SSL (Secure Socket Layer) provides data confidentiality and integrity to
HTTP. By encrypting HTTP messages, SSL protects from attackers eavesdropping
or altering message contents.