How to Fix Plain Text Credentials Vulnerability HTTPS | VAPT Pentesting Services | cyber security whitepapers | Pune Mumbai Hyderabad Delhi Bangalore Ahmedabad Kolkata India Dubai Bahrain Qatar Kuwait Singapore Australia USA UK Germany Croatia Botswana Mauritius

ATTACK

If the input from the users received are of plain text, it will become easier for hackers to bypass and change the contents in the input by just using any intercepting tools. This also lets hackers get the user input details. This becomes a threat for confidentiality and integrity of the data passing over the wire.

Impact

While this attack is serious for mobile applications, it applies to the browser based applications which are business critical. It?s the organizations responsibility to keep their customers and users credentials safe and confidential. However by letting the user credentials be sent as plain text to the server it?s hampering the confidentiality of the customers/user.

Using intercepting tools, hackers can either intercept and modify the input sent by user before it reaches the server or he can intercept and steal the user credentials. Either ways it?s a threat for confidentiality and integrity.

SOLUTION

To ensure safety from such attacks and to keep the users details confidential following steps should be ensured:

Since user credentials are sensitive information, they should be sent over an encrypted channel (HTTP) to the server.
Encrypt the input details on the client side before sending it to the server.
Use hashing algorithms like MD5 to ensure any modification is not performed on the input sent by user.
Wherever MD5 hashing cannot be used, consider using client side custom encryption logic.