We’ve been hearing a lot of things about HTTPS during the past months, and the Heartbleed “bug” has its responsibility in that phenomenon.
There was a time when HTTPS was dedicated to highly sensitive transactions, like banking transactions.

Now HTTPS is considered mandatory as soon as a user is authenticated on a website, in order to protect his web session and connection credentials.

What is HTTPS?

HTTPS is nothing more than HTTP, the Internet protocol used to exchange data between a server and a client (web browser) on which we add a security layer.
HTTP is not a secured protocol: it has been designed in a pure functional objective without taking any security constraint into consideration.

So we add a security layer to HTTP. To be more accurate, we encapsulate HTTP into a secured connection.

This flaw is ranked #10 on the OWASP Top 10. It is the last one of the top 10, so it is not the most “important” but is doesn’t mean we can ignore it, quite the contrary.
This vulnerability empowers phishing attacks. It helps attackers gaining the trust of their victims.
In some cases, it also helps attackers accessing resources their should not be able to access.

How does this flaw work?

Still in our series of articles about web vulnerabilities, this 6th episode is about Sensitive Data Exposure.
As usual, we won’t dive into the highly technical details here (this would require several pages) and won’t therefore discuss cryptography.
This type of vulnerability is ranked number 6 on the OWASP Top 10 2013. These vulnerabilities are usually quite difficult to exploit by hackers, but the impact being really severe, it is very important to properly understand them and make appropriate choices in the application architecture.