From b4e0f3bcce9ecfe1498bde1d98891785f4b661f7 Mon Sep 17 00:00:00 2001 From: Jet Hughes Date: Thu, 8 Sep 2022 18:32:28 +1200 Subject: [PATCH] vault backup: 2022-09-08 18:32:28 --- content/notes/ass01-security-audit.md | 29 ++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/content/notes/ass01-security-audit.md b/content/notes/ass01-security-audit.md index e16e2eb30..c1d0c329c 100644 --- a/content/notes/ass01-security-audit.md +++ b/content/notes/ass01-security-audit.md @@ -60,6 +60,32 @@ The login page does not restrict the number of login attempts. This means it is CWE: 22 - You can access the welcome page simply using the path /catalogue/welcome.jsp. This will load the welcome page with the username null. However it is unclear whether this is a security issue as curently the welcome page offers no functionality. - I dont think there are any path traversal flaws in this website. This is because there isn't any urls which contain queries or parameters relating to sensitive pages. + +## Cleartext Transmission of Sensitive Information +CWE: 319 + +When a user logs in, their username and unhashed password are transmitted in a cleartext post request to the server. This informaiton is susceptible to a man in the middle attack and other kinds of interception. +![example payload](https://i.imgur.com/9Tn6gx1.png) + + + + + + + + + + + + + + + + + + + + @@ -85,7 +111,4 @@ CWE: 22 - this could be used to export JSESSIONIDs of other users. Which would allow the attack to access their account (while the other user is logged in). - It could also be used to present the user with a legitamate seeming message encouraging them to open a malicious link. -## Network-Level security -- when a user logs in a post request to the server transmits the username and unhashed password to the server. This informaiton is susceptible to a man in the middle attack or other kinds of interception. Hopefully the website uses http. -![example payload](https://i.imgur.com/9Tn6gx1.png) ## Other