FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Looking to upgrade from Dynatrace Managed to SaaS? See how

Credentials are transmitted to server in plain text

Go to solution
dynatrace5
Participant

‎26 Apr 2022 07:32 PM - last edited on ‎16 Jun 2023 12:04 PM by Community Team

Dear Team,
As we have observed vulnerabilities during login, password is not encrypted after submission of dynatrace managed login page. Also attached snap as evidence for such case. Kindly check and resolve ASAP.

Observation Solution : Encrypt transmission of credentials from the client to the server.

Observation Description: An adversary can intercept plain text credentials using sniffer tools. Credentials thus obtained may be used to gain unauthorized access to the application.

 

Regards,
Ashutosh Kumar Singh

0 Kudos
Reply
1 REPLY 1

Go to solution
AntonioSousa
DynaMight Guru
DynaMight Guru

‎26 Apr 2022 07:54 PM - edited ‎26 Apr 2022 07:59 PM

@dynatrace5,

In the screenshot you provide, you can see that connection is being made in https, so the whole socket and the data transmitted in it are encrypted.

The fact that you are seeing the data unencrypted is because you are intercepting this with a MITM attack proxy, like BURP. For you to do it, you have had to make something special on the client side making the requests, like putting in new certificates/CAs. In a normal proxy it won't work this way.

If you grab the data from a packet capture, you will confirm that you cannot see it.

So, in summary, it is effectively encrypted, and an adversary cannot intercept such data using sniffer tools.

This is how https normally works. You can secure it with some additional tricks, but in most cases it would be easily reversible.

Antonio Sousa
Reply
Ask a question

Featured Posts