html.security.plaintext-http-link.plaintext-http-link
semgrep
Author
unknown
Download Count*
License
This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.
Run Locally
Run in CI
Defintion
rules:
- id: plaintext-http-link
metadata:
category: security
technology:
- html
cwe:
- "CWE-319: Cleartext Transmission of Sensitive Information"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
confidence: HIGH
subcategory:
- vuln
references:
- https://cwe.mitre.org/data/definitions/319.html
likelihood: LOW
impact: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
patterns:
- pattern: <a href="$URL">...</a>
- metavariable-regex:
metavariable: $URL
regex: ^(?i)http://
message: This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL
if possible.
severity: WARNING
languages:
- html
Examples
plaintext-http-link.html
<!-- ruleid: plaintext-http-link -->
<a href="http://semgrep.dev">Semgrep</a>
<!-- ruleid: plaintext-http-link -->
<a href='http://semgrep.dev'>Semgrep</a>
<!-- ruleid: plaintext-http-link -->
<a href=http://semgrep.dev>Semgrep</a>
<!-- ruleid: plaintext-http-link -->
<a class="foo" href="http://semgrep.dev">Semgrep</a>
<!-- ruleid: plaintext-http-link -->
<a class='foo' href='http://semgrep.dev'>Semgrep</a>
<!-- ruleid: plaintext-http-link -->
<a class=foo href=http://semgrep.dev>Semgrep</a>
<!-- ruleid: plaintext-http-link -->
<a href="HTTP://SEMGREP.DEV">Semgrep</a>
<!-- ok: plaintext-http-link -->
<a href="https://semgrep.dev">Semgrep</a>
<!-- ok: plaintext-http-link -->
<a href="https://semgrep.dev/http://">Semgrep</a>
<!-- ok: plaintext-http-link -->
<a href="javascript:alert(1)">Semgrep</a>
Short Link: https://sg.run/RA5q