[
https://issues.apache.org/jira/browse/FINERACT-2129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chris Wells updated FINERACT-2129:
----------------------------------
Description: [Redacted] (was: h2. Description
The application stores sensitive information (User credentials) in a cookie
using base64 encoding.
h2. Reproduction Steps
1- Login at [https://openmf.github.io/web-app/] or
[https://demo.mifos.io|https://demo.mifos.io/] with following credentials:
{{mifos: Secure@123}}
2- Now intercept any of the request and base64 decode the {{Authorization}}
header.
*Encoded:* {{bWlmb3M6U2VjdXJlQDEyMw==}}
h2. Remediation Advice
Sensitive information should not be stored using weak encoding algorithm in a
cookie.
*Decoded:* {{mifos:Secure@123}}
h2. Impact Details
An attacker can fetch the cookies via MiTM attack and access the victim account
using the credentials being stored in the cookie.)
> Storage of Sensitive Information in a Cookie
> --------------------------------------------
>
> Key: FINERACT-2129
> URL: https://issues.apache.org/jira/browse/FINERACT-2129
> Project: Apache Fineract
> Issue Type: Bug
> Components: Client, Security
> Reporter: Peter Chen
> Priority: Minor
> Labels: client, security, web
>
> [Redacted]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
