Base solution for your next web application
Open Closed

Vulnerability Assessment and Penetration Testing- Password sent in Clear text #11735


User avatar
0
kansoftware created

Hi, Our application is failed in VAPT test for, Cryptographic failure - Password sent in Clear text format

Check below details:

**Threat Description: ** The pathway of sensitive data like passwords is reflected in plain texts which leads the intruders to get these details by capturing the HTTP requests either using from wire shark or burp suite or any malicious attempts. Impact: A third-party attacker is able to read the user credentials like passwords by intercepting a connection. Evidence: In the below screen shot, we will intercept and capture the login username and password request in Burpsuite.

Recommendations: • It is recommended to use strong encryption algorithm like SHA512 to encrypt sensitive data in transit. • All sensitive parameters must be encrypted using strong algorithm

Please provide the solution for this test, while login the application


5 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @kansoftware

    Since we suggest using HTTPS, we won't implement such a feature. Also, what is the point of encrypting the password on the client side ? I think there shouldn't be such an encrption on the client side app.

  • User Avatar
    0
    kansoftware created

    Hi

    Actually, this was reported by our team working on VAPT for our EMR application which we built using ASPNETZERO, We have observed client side encryption on some of the banking websites.

    Can you please help how we can answer VAPT team for this issue. So, they can close this issue

    Regards, Harshit

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @kansoftware

    I think I got the problem wrong at first but when I look at the screenshot, I see the password on querystring. Is it possible to share the steps to reproduce this case ?

  • User Avatar
    0
    kansoftware created

    Hi,

    We are trying to intercept the request using a Burp suite Tool

    1. Install Burpsuite community edition
    2. Select Proxy option
    3. Enable intecept on
    4. Open browser from burpsuite
    5. Open Aspnetzero application login page
    6. enter username and password
    7. you will see a post request as in screenshot

    Let us know if you need any further assistance.

    Regards Harshit

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Thanks, I got it now. Since you are using HTTPS, communication between client and server is encrpted. So, I guess you don't want to worry about this. See item 5 under "How to Prevent" title in https://owasp.org/Top10/A02_2021-Cryptographic_Failures/