Feature #241
closedFeature #235: [Security Audit Round 2 ]
[Security Audit Round 2 ] Password Returned in Response
0%
Description
Password Returned in Response
observation : New
CWE : CWE_204
Description :
Some applications return passwords submitted to the application in clear form in later
responses. This behavior increases the risk that users' passwords will be captured by an
attacker.
Affected Path(s) :
https://his-user-management-service.satragroup.in/master/user-profile *-Applicable to
entire application
Impact :
Vulnerabilities that result in the disclosure of users' passwords can result in
compromises that are extremely difficult to investigate due to obscured audit trails. Even
if the application itself only handles non-sensitive information, exposing passwords puts
users who have re-used their password elsewhere at risk.
Evidence/Proof Of Concept :
Step 1: Password Returned in Response as shown in below screenshot
Recommendation :
It is recommended not to disclose passwords in later response.
Files
Updated by Harish Beechani 11 months ago
- Status changed from Resolved to Ready for Prod
Updated by Kalyan Battula 11 months ago
- Status changed from Ready for Prod to Closed
- Assignee changed from Harish Beechani to Kalyan Battula