WebApp Sec mailing list archives
Passing Credentials in the clear- Possible fixes
From: Jeff <pen_tester () adelphia net>
Date: Fri, 25 Feb 2005 18:37:49 -0800
I'm conducting an application assessment for a portal app that is going to be rolled out shortly. All users allowed access to the home page without authenticating. To get to the customizable portlets they must authenticate. I discovered today that the user credentials are being passed in the clear. When I present this finding I'm expecting some push back from the application team about how "it's not their problem. It's up to the infrastructure group to come up with a solution (i.e. https enabled servers, network encryption devices, etc.)" My question is this - Are there any possible solutions I could present to the application team as to how they can fix the problem via a coding change instead of letting them lay the responsibility for securing their information off on another group? The portal is Java based if that makes a difference. Any info appreciated. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 266.5.0 - Release Date: 2/25/2005
Current thread:
- Passing Credentials in the clear- Possible fixes Jeff (Feb 28)
- RE: Passing Credentials in the clear- Possible fixes Lyal Collins (Feb 28)