Application Security #2: I have HTTPS so my application is secure? Does HTTPS secure my application?

tl;dr — HTTPS only secures your application traffic in transit by encrypting it so that an attacker cannot see your application data in plain text. It does not solve any other security problems the application may face such as Cross-Site Scripting, SQL injection etc. It is not related to any other vulnerabilities at all.

For the purpose of this article, the answer to the questions in the title is “No”. However, the actual answer is “Yes” and “No”.

If you ask me what is one most misunderstood concept by developers about interpreting security assessment or penetration testing reports, I would say that it is HTTPS (Hypertext Transfer Protocol Secure). While HTTPS is the most basic form of security for any application today, it is not panacea for all the security vulnerabilities for your application.

Pentester: “Hey I found that your application has XSS issue”

Application Team: “Our application uses HTTPS already! So no issue right?”

Pentester: *sobs*

What is HTTPS and what does it do?

Just going to the very basic concept. I am sure most of the developers already know what HTTPS is. HTTPS is a secure alternative protocol for the HTTP. HTTP is the de-facto communication protocol used for the web nowadays. Every URL starts with “https://” or “http://”.

Let’s understand another concept first: SSL

Another concept to understand before going into HTTPS is SSL (Secure Socket Layer). So whenever you click a webpage, the two-way traffic is transmitted over the internet using HTTP protocol and it is in clear text which means anyone in your network or any path along the internet can see what web page/data you are retrieving. Imagine you are using an online bank application and people can see your username/password and all bank account information. Not so safe eh? SSL comes in to solve this issue. SSL helps to encrypt this traffic so that whoever sniffs your traffic can only see a bunch of random looking words which cannot be made any sense out of but only you can see your data in plain text. Nice stuff! So by combining HTTP and SSL, we get HTTPS.

SSL + HTTP = HTTPS.

So, the purpose of HTTPS is to protect your traffic data from being sniffed by attackers.

The confusion

The major confusion I observed from the developers is that HTTPS solves all the vulnerabilities of the application! This is not true. HTTPS only purpose is to help you protect the traffic data!

Now let’s see a visual example to understand better. So the sample application has 2 pages: Login Page and Welcome page. We will access with the pages with HTTP or “http://”.

This is the login page where I will input username and password. Note that there is no lock button on the URL which means the communication is http:// and not secure

So this is the landing page which shows how much money John Wick has (Does he even use cash? Not sure). This URL is accessed through the same insecure http:// or HTTP

So, if an attacker is sniffing your traffic like when you are using this application while sipping coffee and making good use of free Wifi, he could see all your data like below.

I use a network sniffing tool called Wireshark and all the data sent by John Wick’s can be seen in clear text like this.

You would not walk around naked in places that people can see you in real life, would you? Then, you should not be using the internet in naked like with HTTP. (If you are a nudist then I cannot comment). That’s why it is a basic security to use HTTPS for every application. Let’s see how the traffic sniffing will look like if you are using HTTPS.

Now, we are accessing a secure version of HTTPS or https://. You see a lock icon at the address bar now. Pardon a warning sign there. (I am using a self-signed certificate for this example. It’s a story for next time)

Now if an attacker sniffs your traffic as the same before, all he/she can see is some random looking junks which make no sense. The traffic is now encrypted.

So this is the purpose of what HTTPS is for. Other than this, it will not solve any other security vulnerability. HTTPS is not related to any other security or protection mechanism.

It will not solve the XSS issue. It will not solve the SQLi (SQL injection) issue. It will not solve the authentication bypass issue. Ok, I think the point is made :D

Let me stress this point one last time with an example. The example below will show XSS is possible even if you use HTTPS or https://.

This is the login page code which will submit username/password to doWelcome.php page.

This is a hard-coded doWelcome.php page which will show a welcome message to any username passed via login page before. (This is just an example. No. There is no authentication logic :D )

So the doWelcome.php will take any username value from the POST request and print it on the page which is a classic example of Cross-Site Scripting Vulnerability (XSS).

So if I put Javascript code instead of username, the script should be auto-executed at welcome page later

So, the Javascript payload from the previous page is passed here and got executed. Notice that the application is accessed via HTTPS or https://.

These show that HTTPS cannot solve other security issues.

Conclusion

This has been a long explanation. The main point is that HTTPS only secures your application traffic but it is not just meant to solve other security issues at all. I hope the typical misunderstanding or confusion about HTTPS is finally addressed!

If you don’t fully understand what XSS is from the example above, I might write a post about it one day.

By the way, if you are curious about another concept of What is server-side input validation, check this article here.

Thank you for reading.

Code Securely and stay safe! It’s an insane world out there :D