Forum Discussion

  • Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?

     

    • Akhtar_109015's avatar
      Akhtar_109015
      Icon for Nimbostratus rankNimbostratus
      I have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
  • Can you please explain the exact nature of the attack you are referring to? What exactly are you observing?

     

    • Akhtar_109015's avatar
      Akhtar_109015
      Icon for Nimbostratus rankNimbostratus
      I have uploaded the HTTP request and response snapshots from a PT tool. In the response from a server we see the password in clear text. Can we tune the ASM policy to track the session and encrypt the passwords in the HTTP responses ? Akhtar
    • Mike_Maher's avatar
      Mike_Maher
      Icon for Nimbostratus rankNimbostratus
      Is this running over HTTP or HTTPS? Is your concern for someone taking control of your browser and stealing the password?
  • You can encrypt the sensitive cookie using the HTTP Profile Cookie Encryption feature and you can mask the sensitive password in the response using DataGuard in ASM. Be careful though as DataGuard masking can actually break your application if it is actually expecting the administrator password to be present in clear-text in the response.

     

    Sam

     

  • Hello Akhtar, you might try to add the "pwdadmin2" parameter to your parameters list, and then configure it as a sensitive parameter on the Properties screen for it. You will have to test it then to make sure that masking it doesn't harm the functionality of your app.