Password In Response


Description

The application returns a password in the response. Returning a password in an HTTP response exposes weaknesses that may allow an attacker to capture a user’s password. It also indicates that passwords are being stored in clear text in the database, which could expose user passwords if the database is attacked. An attacker who takes advantage of these flaws can obtain unauthorized access to a user’s account and gain access to sensitive data in the application. 

Impact

An insecure password reset allows an attacker to reset another user’s password in order to bypass authentication and gain access to user accounts. An attacker who can control user passwords can take over a user’s account and potentially access sensitive data or functions in the application.

Risk Rating

Remediation

How To Test

Sample Report Screenshots

Time Saving Tips

Testing Gotchas

References

 

Subscribe here in order to gain access to the AppSec Findings Database

Leave a Reply