How should that help? If there's a man in the middle attack, the attacker could decrypt the data as well. So no security gain.
If the creds are encrypted using a strong encryption method such as rsa. And then decrypt it on server side. This is what they have suggested. using a public key encrypt ...
Search found 4 matches
- 12 Feb 2018, 12:15
- Forum: Help
- Topic: Username and Password sent as plain text.
- Replies: 8
- Views: 3743
- 12 Feb 2018, 07:45
- Forum: Help
- Topic: Username and Password sent as plain text.
- Replies: 8
- Views: 3743
Re: Username and Password sent as plain text.
The VAPT team suggested us to encrypt the credentials on login page before sending them to server. And then decrypt the credentials on the server side.jojo wrote:I still don't see a real issue here, as man in the middle attacks would also work on other solutions
- 11 Feb 2018, 20:38
- Forum: Help
- Topic: Username and Password sent as plain text.
- Replies: 8
- Views: 3743
Re: Username and Password sent as plain text.
Even on using https. I can intercept the user credentials using burp suite by creating a proxy.jojo wrote:use https and not http
- 10 Feb 2018, 21:37
- Forum: Help
- Topic: Username and Password sent as plain text.
- Replies: 8
- Views: 3743
Username and Password sent as plain text.
We're usning OTRS 5.0.18 version, and the application was recently gone through VAPT. There were few issues in that one of which is username and password sent as plain text. Could anyone help me close this point ASAP.