[
https://issues.apache.org/jira/browse/FINERACT-2129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Peter Chen updated FINERACT-2129:
---------------------------------
Description:
h2. Description
The application stores sensitive information (User credentials) in a cookie
using base64 encoding.
h2. Reproduction Steps
1- Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] with following credentials:
{{mifos: Secure@123}}
2- Now intercept any of the request and base64 decode the {{Authorization}}
header.
*Encoded:* {{bWlmb3M6U2VjdXJlQDEyMw==}}
h2. Remediation Advice
Sensitive information should not be stored using weak encoding algorithm in a
cookie.
*Decoded:* {{mifos:Secure@123}}
h2. Impact Details
An attacker can fetch the cookies via MiTM attack and access the victim account
using the credentials being stored in the cookie.
was:
h2. Description
The application stores sensitive information (User credentials) in a cookie
using base64 encoding.
h2. Reproduction Steps
1- Login at https://openmf.github.io/web-app/ or https://demo.mifos.io with
following credentials:
`mifos: Secure@123`.
2- Now intercept any of the request and base64 decode the {{Authorization}}
header.
*Encoded:* `{{{}bWlmb3M6U2VjdXJlQDEyMw==`{}}}
h2. Remediation Advice
Sensitive information should not be stored using weak encoding algorithm in a
cookie.
*Decoded:* `{{{}mifos:Secure@123`{}}}
h2. Impact Details
An attacker can fetch the cookies via MiTM attack and access the victim account
using the credentials being stored in the cookie.
> Storage of Sensitive Information in a Cookie
> --------------------------------------------
>
> Key: FINERACT-2129
> URL: https://issues.apache.org/jira/browse/FINERACT-2129
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: client, security, web
>
> h2. Description
>
> The application stores sensitive information (User credentials) in a cookie
> using base64 encoding.
>
> h2. Reproduction Steps
>
> 1- Login at [https://openmf.github.io/web-app/] or
> [https://demo.mifos.io|https://demo.mifos.io/] with following credentials:
> {{mifos: Secure@123}}
> 2- Now intercept any of the request and base64 decode the {{Authorization}}
> header.
> *Encoded:* {{bWlmb3M6U2VjdXJlQDEyMw==}}
>
> h2. Remediation Advice
> Sensitive information should not be stored using weak encoding algorithm in a
> cookie.
> *Decoded:* {{mifos:Secure@123}}
> h2. Impact Details
> An attacker can fetch the cookies via MiTM attack and access the victim
> account using the credentials being stored in the cookie.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
