locked
Password transmitted in clear text or with an unapproved format MVC IA finding RRS feed

  • Question

  • User93267240 posted

    My IA department has run a security can on our MVC application and the following error was displayed: Password transmitted in clear text or with an unapproved format are vulnerable to network protocol analyzers. These passwords acquired with the network protocol analyzer can be used to immediately access the application. The designer will ensure the application transmits account passwords in an approved encrypted format.
      
    I am new to IA application security fixes so any recommendations would be great!
     
    Thanks,
     
    Steve Holdorf

    Tuesday, August 5, 2014 11:18 AM

Answers

  • User1779161005 posted

    So then ask the auditor what the problem was. It hard to know how to fix the problem if they can't articulate it to you in more detail.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, August 5, 2014 2:14 PM

All replies

  • User1779161005 posted

    Use SSL for any page in the application where there might be sensitive information sent. This includes credentials, cookies and/or content.

    Tuesday, August 5, 2014 11:26 AM
  • User93267240 posted

    Checked with lead developer and sys admin. The application is in SSL and fully covered as soon as the user first hits the application.

    Tuesday, August 5, 2014 2:03 PM
  • User1779161005 posted

    So then ask the auditor what the problem was. It hard to know how to fix the problem if they can't articulate it to you in more detail.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, August 5, 2014 2:14 PM
  • User93267240 posted

    Will do and thanks for your help!

    Tuesday, August 5, 2014 2:38 PM