Unencrypted traffic – Security Testing Handbook for Banking Applications

2: Basic Tests and Techniques
Do not use client-side validation for controlling the
application logic. Use JavaScript primarily for verifying
basic user input (like entering a name in a date field) or for
presentation purposes. All the application logic must be
controlled at the application server.
Unencrypted traffic
If sensitive information is not transmitted on an encrypted
channel, it can get stolen. This means that any user who has
access to any of the devices the traffic flows through will be
able to see all the data that is sent and received by the user
in clear text. This includes the user’s credentials as well as
the operations that they perform on the application. While
testing we look at whether all the critical data sent to and
from the application are encrypted at the application or at
the transport layer. We also check whether we can force
communication over a secure channel to go over an
insecure channel.
Ensure that the web server supports only secure
communication with strong SSL ciphers. If traffic is
received on the port of the web server which supports
insecure communications, redirect the traffic to the port
which supports secure communication. Ensure that the
secure communication is signed with a certificate
authorised by a trusted third party. This is especially critical
if the application is in the public domain and being
accessed by customers.