0 Replies Latest reply: Jul 16, 2015 8:27 AM by Rico van Zyl RSS

    Encrypt User Credentials from FormLogin.htm

    Rico van Zyl

      Hallo all,

       

      I have a customer who has a requirement to encrypt the userid and password from the FormLogin.html page.

      Setup:

      QV11 SR5, DMS is place with HTTPS.

      The QV webserver (IIS) is accessible over the internet in Public DMZ, QVS in Private DMZ.

       

      If an URL parameter is used to send login credentials, web browsers may store this information as

      part of the browser's history. If a malicious individual obtains access to the targeted computer in

      which the credentials were saved, it may be possible to recover these saved credentials from the

      browser and use them to gain access to the application and launch further attacks on the system.

      Furthermore, the direct access capability (or handling of the GET method using URL parameters)

      may simplify the ability for a malicious individual to perform “phishing” or cross-site scripting attacks,

      which are designed to gain unauthorized access to the application and/or sensitive information.

      An affected URL may be logged within the user's browser, the web server, and any forward

      or reverse proxy servers between the client and webserver. URLs are also displayed on-screen,

      bookmarked or emailed by users. They may be disclosed to third parties via the Referrer header.

       

      Does anyone have any ideas on how to resolve this threat?

       

      Much appreciated!