0

I'm running Nessus on one of my websites and it returns "Web Server Transmits Cleartext Credentials" vulnerability. It is a low level vulnerability, but I want to understand it.

My website encrypts the password text box and that is sent to a database procedure to compare to what encrypted password I have for that user in my database. So even if it was cleartext the encrypted password is being sent across. Does this mean that this vulnerability doesn't apply to my website or am I still allowing the password to be exposed?

Thank you

Jerry Warra
  • 304
  • 1
  • 4
  • 20

1 Answers1

1

I believe there are multiple facets to your potential security issue. This would fail most audits if there is any sensitivity regarding the web service.

  1. This vulnerability occurs because you are not using HTTPS, while handling passwords. (a password field in a form). So yes you are vulnerable to this technically. A Man In The Middle attack could see what is being transmitted and re-use that "encrypted" value. They could also modify the data to cause other actions to occur, depending upon design flaws. You have at least one concern that you have not mitigated here. HTTPS is the best solution to prevent MITM.

  2. Beyond the first point - You seem to be indicating that you know the password value placed into the password field/box by a user is being encrypted before transmission to the server. If the value is being encrypted by using javascript inside the browser, then you are likely not properly securing the password. Client-side javascript is a poor method to implement security controls like this. (especially if there is no MITM-prevention) But if someone is simply pasting an "encrypted" value from somewhere outside the web browser into the browser form and sending it to the server, then the nature of the encryption is a key point. It should be using well known modern encyption protocols such as AES. But this is meaningless if anyone can capture the value via MITM attack and re-use it.

Strongly urge the adoption of TLS security via HTTPS configuration for the web service.

usernotdev
  • 117
  • 1
  • 7
  • Thank you so much. You pointed out something that I overlooked. The password isn't encrypted till it gets to the server then compared to the encrypted password in our database. The password would be exposed in the the call to login. I'm going to change my approach to use https to send the data from the client to the server. Thank you so much – Jerry Warra Aug 07 '17 at 13:34