Hi Team,
While doing Vulnerability Assessment and Penetration Testing (VAPT) ASPNet zero application we found that Application is transmitting clear text password in Login page.
In this case attacker can use network sniffer tools to capture HTTP requests which contain user passwords.
Please see the attached screen shot for your reference.
Due to this our production deployment is gone on hold. Please look this issue on Priority and provide us the solution.
Thanks,
Kind Regards, Kumar Prashant
3 Answer(s)
-
0
Hi @KPCS
You should host your app as HTTPS to prevent such an attack. If that is not possible, you can modify the source code and make necessary changes requested by your security team. But, using HTTPS is the best option I guess.
-
0
Hi,
We would like to do this for all API calls. Our function to encrypt/decrypt is ready. Can you please suggest the best place to make the function call at both the front end side and backend?
thanks
-
0
Hi @KPCS
I think you are using hte Angular version. If that's the case, you can use an Angular HTTP Interceptor and modify the request parameters and resolve it on the server side when you access it.
However, if this is only for the Login page, you can modify Login.js file and change the value before sending it to server and decrypt it on the server side in AccountController's Login action. I suggest to do it only for Login page if this is the only place you need it.
