Announcement

Collapse
No announcement yet.
X
Collapse
  • Page of 1
  • Filter
  • Time
Clear All
new posts
Previous template Next
    #1

    Password is exposed in clear text while using a Burp Proxy suite through HTTPS

    During the test it was observed that the password was transferred in plain text without any encryption/encoding in XML on login page using a Proxy tool Burp suite. This may pose threat to security of application. Please find the image attached for more details.
    Attached Files
    Tags: None
    #2
    We are using SmartClient version v100p_2017-03-16_Enterprise

    Comment

      #3
      We are using HTTPS protocol for our application.

      Comment

        #4
        SmartClient does not impose any constraints on how you pass login and password information to the server; you can encrypt before sending if you like. This of course would be redundant with use of HTTPS, which already means your password is not actually being sent in cleartext.

        Note further that in the QuickStart Guide, we recommend explicitly against using SmartClient for the login page of an application (for several reasons, but security is not one of them).

        Comment

        Previous template Next
        Working...
        X