resthttphttpssniffing

Is endpoint with HTTPS not enough to avoid sniffing attacks?


My Endpoint is accompanied by HTTPS but if I post user credentials via this endpoint, how is it vulnerable to sniffing attacks? Is endpoint with HTTPS not enough or some other implementations are also required?

If I POST user credential via an REST endpoint.

Statement 1: My endpoint is HTTPS enabled.

Statement 2: The transmission channel is HTTPS encrypted.

What are the differences in these 2 statements?

I am sending post request via https enabled REST api even though the post data is visible when intercept is on.

Following image was provided by our VAPT team saying that the endpoint is not secure since they are able to intercept the traffic and retrieve the post data like username and password.

enter image description here


Solution

  • HTTPS encrypts the transmission channel so that any node between the client and server cannot read the plaintext content. The traffic can still be sniffed, but the sniffed data is encrypted. This is a very important distinction because if the encryption is weak or if it is cracked in the future, any saved, encrypted data might be decrypted.


    What is the difference between:

    1. My endpoint is HTTPS enabled.
    2. The transmission channel is HTTPS encrypted.

    It's the difference between "I know how to bake a cake" and "I am baking a cake". Just having something enabled doesn't mean it is being used or that HTTPS hasn't been bypassed or disabled somehow.