What are the risks of MITM login/password hijacking from a website?

D

Deniosus2019-04-16 11:06:55

Information Security

Deniosus, 2019-04-16 11:06:55

There is a page with a login/password (for example https:// login . site . com), which sends data via HTTPS during authorization.
On such a page, for example, it loads via HTTP (not SSL!) and executes Javascript from another, albeit trusted, source. It turns out that there are high risks of MITM interception of such data by easy substitution of the "left" script, which will send the entered data to attackers.

Are there any risks of such MITM interception if the following are loaded on the page via HTTP from another (albeit trusted) source:
1. styles or fonts from a third-party source
2. pictures or other media elements
3. iframe
4. any other elements? if so, which ones?

Thanks for the replies and opinions

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

K

Kirill Kudryavtsev, 2019-04-16
@Deissh

Yes, you can change anything, but js and html are especially dangerous. If there are requests to the server, then their answers can be changed, the main thing is not to push the data without shielding into the house.
Although it is difficult to completely solve the problem even using ssl, there are workarounds (although there is protection against this)

X

xmoonlight, 2019-07-23
@xmoonlight

It turns out that there are high risks of MITM interception of such data by easy substitution of the "left" script, which will send the entered data to attackers.

I advise you to take and test, and the question will disappear by itself.