![]() These areas should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. ![]() Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. Remediation: Cleartext submission of passwordĪpplications should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Even if the application itself only handles non-sensitive information, exposing passwords puts users who have re-used their password elsewhere at risk. Vulnerabilities that result in the disclosure of users' passwords can result in compromises that are extremely difficult to investigate due to obscured audit trails. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Common defenses such as switched networks are not sufficient to prevent this. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. To exploit this vulnerability, an attacker must be suitably positioned to eavesdrop on the victim's network traffic. Some applications transmit passwords over unencrypted connections, making them vulnerable to interception. ![]() Twitter WhatsApp Facebook Reddit LinkedIn EmailÄescription: Cleartext submission of password
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |