I have a customer who has a requirement to encrypt the userid and password from the FormLogin.html page.
QV11 SR5, DMS is place with HTTPS.
The QV webserver (IIS) is accessible over the internet in Public DMZ, QVS in Private DMZ.
If an URL parameter is used to send login credentials, web browsers may store this information as
part of the browser's history. If a malicious individual obtains access to the targeted computer in
which the credentials were saved, it may be possible to recover these saved credentials from the
browser and use them to gain access to the application and launch further attacks on the system.
Furthermore, the direct access capability (or handling of the GET method using URL parameters)
may simplify the ability for a malicious individual to perform “phishing” or cross-site scripting attacks,
which are designed to gain unauthorized access to the application and/or sensitive information.
An affected URL may be logged within the user's browser, the web server, and any forward
or reverse proxy servers between the client and webserver. URLs are also displayed on-screen,
bookmarked or emailed by users. They may be disclosed to third parties via the Referrer header.
Does anyone have any ideas on how to resolve this threat?