26 Apr 2022 07:32 PM - last edited on 16 Jun 2023 12:04 PM by Karolina_Linda
Dear Team,
As we have observed vulnerabilities during login, password is not encrypted after submission of dynatrace managed login page. Also attached snap as evidence for such case. Kindly check and resolve ASAP.
Observation Solution : Encrypt transmission of credentials from the client to the server.
Observation Description: An adversary can intercept plain text credentials using sniffer tools. Credentials thus obtained may be used to gain unauthorized access to the application.
Regards,
Ashutosh Kumar Singh
Solved! Go to Solution.
26 Apr 2022 07:54 PM - edited 26 Apr 2022 07:59 PM
In the screenshot you provide, you can see that connection is being made in https, so the whole socket and the data transmitted in it are encrypted.
The fact that you are seeing the data unencrypted is because you are intercepting this with a MITM attack proxy, like BURP. For you to do it, you have had to make something special on the client side making the requests, like putting in new certificates/CAs. In a normal proxy it won't work this way.
If you grab the data from a packet capture, you will confirm that you cannot see it.
So, in summary, it is effectively encrypted, and an adversary cannot intercept such data using sniffer tools.
This is how https normally works. You can secure it with some additional tricks, but in most cases it would be easily reversible.