Sensitive data must be protected when it is transmitted through the network. If data is transmitted over HTTPS or encrypted in another way the protection mechanism must not have limitations or vulnerabilities, as explained in the broader article Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)  and in other OWASP documentation , , , .
As a rule of thumb if data must be protected when it is stored, this data must also be protected during transmission. Some examples for sensitive data are:
If the application transmits sensitive information via unencrypted channels - e.g. HTTP - it is considered a security risk. Some examples are Basic authentication which sends authentication credentials in plain-text over HTTP, form based authentication credentials sent via HTTP, or plain-text transmission of any other information considered sensitive due to regulations, laws, organizational policy or application business logic.
Various types of information that must be protected, could be transmitted by the application in clear text. It is possible to check if this information is transmitted over HTTP instead of HTTPS, or whether weak cyphers are used. See more information about insecure transmission of credentials Top 10 2013-A6-Sensitive Data Exposure  or insufficient transport layer protection in general Top 10 2010-A9-Insufficient Transport Layer Protection .
A typical example is the usage of Basic Authentication over HTTP. When using Basic Authentication, user credentials are encoded rather than encrypted, and are sent as HTTP headers. In the example below the tester uses curl  to test for this issue. Note how the application uses Basic authentication, and HTTP rather than HTTPS
$ curl -kis http://example.com/restricted/ HTTP/1.1 401 Authorization Required Date: Fri, 01 Aug 2013 00:00:00 GMT WWW-Authenticate: Basic realm="Restricted Area" Accept-Ranges: bytes Vary: Accept-Encoding Content-Length: 162 Content-Type: text/html <html><head><title>401 Authorization Required</title></head> <body bgcolor=white> <h1>401 Authorization Required</h1> Invalid login credentials! </body></html>
Another typical example is authentication forms which transmit user authentication credentials over HTTP. In the example below one can see HTTP being used in the "action" attribute of the form. It is also possible to see this issue by examining the HTTP traffic with an interception proxy.
<form action="http://example.com/login"> <label for="username">User:</label> <input type="text" id="username" name="username" value=""/><br /> <label for="password">Password:</label> <input type="password" id="password" name="password" value=""/> <input type="submit" value="Login"/> </form>
The Session ID Cookie must be transmitted over protected channels. If the cookie does not have the secure flag set  it is permitted for the application to transmit it unencrypted. Note below the setting of the cookie is done without the Secure flag, and the entire log in process is performed in HTTP and not HTTPS.
https://secure.example.com/login POST /login HTTP/1.1 Host: secure.example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://secure.example.com/ Content-Type: application/x-www-form-urlencoded Content-Length: 188 HTTP/1.1 302 Found Date: Tue, 03 Dec 2013 21:18:55 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT Pragma: no-cache Set-Cookie: JSESSIONID=BD99F321233AF69593EDF52B123B5BDA; expires=Fri, 01-Jan-2014 00:00:00 GMT; path=/; domain=example.com; httponly Location: private/ X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Length: 0 Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Content-Type: text/html ---------------------------------------------------------- http://example.com/private GET /private HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://secure.example.com/login Cookie: JSESSIONID=BD99F321233AF69593EDF52B123B5BDA; Connection: keep-alive HTTP/1.1 200 OK Cache-Control: no-store Pragma: no-cache Expires: 0 Content-Type: text/html;charset=UTF-8 Content-Length: 730 Date: Tue, 25 Dec 2013 00:00:00 GMT ----------------------------------------------------------