Plain text credentials vulnerability

SQL

User credentials are considered sensitive information, should always be transferred to the server over an encrypted connection (HTTPS) also it should be encrypted using stronger algorithm. The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server.
CWE – 319
CWE – 310
OWASP (A3)

ATTACK

If the input from the users received are of plain text, it will become easier for hackers to bypass and change the contents in the input by just using any intercepting tools. This also lets hackers get the user input details. This becomes a threat for confidentiality and integrity of the data passing over the wire.

Impact

While this attack is serious for mobile applications, it applies to the browser based applications which are business critical. It’s the organizations responsibility to keep their customers and users credentials safe and confidential. However by letting the user credentials be sent as plain text to the server it’s hampering the confidentiality of the customers/user.

Using intercepting tools, hackers can either intercept and modify the input sent by user before it reaches the server or he can intercept and steal the user credentials. Either ways it’s a threat for confidentiality and integrity.

SOLUTION



To ensure safety from such attacks and to keep the users details confidential following steps should be ensured:

  • Since user credentials are sensitive information, they should be sent over an encrypted channel (HTTP) to the server.
  • Encrypt the input details on the client side before sending it to the server.
  • Use hashing algorithms like MD5 to ensure any modification is not performed on the input sent by user.
  • Wherever MD5 hashing cannot be used, consider using client side custom encryption logic.
CSRF attack