DataSafe password encryption ...not really
Hi team, I just performed a test with datasafe on version 15.1.0.2. I set my login url to "/user_login.php" and the parameters "username" and "password" for the username/password field of my webpage. I asked datasafe to encrypt and obfuscate both my username and password parameters. then I reloaded my webpage. I entered "kabe_admin" as username and "kabe_password" as password. Then I opened the browser (firefox80.0.1) console and lunched a small script which displays all the forms fields value: javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { s += f[i].name + ":" + f[i].value + " " + f[i].type +"\n"; } } if (s) console.log("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})(); I got the following result: Passwords in forms on this page: : hidden q: text :Go! submit : hidden id:0 select-one :Go! submit :kabe_admin text 08be7f2d16081800e5fbe4edc855463d5cc54fb3a397ca49d50c3cfe8264b225:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4ed1414f7bfc7c4af165db6e2b448dcddee856cef14d376fd0a0f93356891cea6ce48ab7fa20410 hidden :kabe_password password 08be7f2d16081800e3908b0fe720a0fa78171259b4b5ff7e142021740647c372:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4eda4b79a1d9a94b53f4fe4e37fefa20dc2709bfed517f1710e8a30f48bd6b045e84cadff3b1ac7048d9f hidden : submit action:login hidden As you can see in the output, I was able to get a clear version of the password ! ok the field name doesn't appear in front of "kabe_password" but nonetheless it is of type "password" and after all the password is visible with this simple JS code ! If I can do it, I think that a Malware will more than able to do the same , right ? isn't it the goal of Datasafe to prevent malware from stealing information like this ? Is this a huge bug ? or am I missing something ? PS: This is lab environment and I can share my config if needed. although this can easily be reproduced. many thanks, karim
How to enable Secure Web Gateway (SWG) in BIG-IP VE
Hi, I'm Joseph Park working at sdn/nfv/cloud system for Samsung SDS. I'd tried to test BIG-IP VE (BIGIP-15.0.1-0.0.11.ALL-vmware.ova) with trial version now. But in my test version, I cannot test Secure Web Gateway (SWG). it is unlicensed state now. The other modules are important to me, I'm only focus on the forward proxy for web... How can I get trial license on the SWG? Please let me know or email me the guide if possible. Thank you in advance.
How to Create a empty pool using C#?
I wrote following code to create a LBPool but it only works if i have at least one member(s). My application need to create a empty pool and add it to a VirtualServer. // Create member var members = nodes.Select(t => new CommonIPPortDefinition { address = t.Address, port = t.Port }).ToArray(); var newMembers = new CommonIPPortDefinition[][] { members }; // Create pool with algorithms m_interfaces.LocalLBPool.create(new string[] { name }, new LocalLBLBMethod[] { method }, newMembers);
AMQP Cleartext Authentication
Description The remote Advanced Message Queuing Protocol (AMQP) service supports one or more authentication mechanisms that allow credentials to be sent in the clear. Solution Disable cleartext authentication mechanisms in the AMQP configuration in ubuntu or centos machines disable unencrypted access in the configuration file. >> unencrypted" here refers to client connections. https://www.rabbitmq.com/ssl.html Steps of disabling the AMQP: https://liquidwarelabs.zendesk.com/hc/en-us/articles/360019562832-Disable-cleartext-authentication-option-in-RabbitMQ The above link used for windows vulnerability. Please help in getting resolution for Centos or Ubuntu configuration file.MongoDB Service Without Authentication Detection
DescriptionMongoDB, a document-oriented database system, is listening on the remote port, and it is configured to allow connections without any authentication. A remote attacker can therefore connect to the database system in order to create, read, update, and delete documents, collections, and databases. Enable authentication or restrict access to the MongoDB service. What are the steps for the above vulnerabilty on linux server to enable authentication or restrict access to the MongoDB service?SSL Certificate with Wrong Hostname
SSL Certificate with Wrong Hostname The SSL certificate for this service is for a different host. The commonName (CN) of the SSL certificate presented on this service is for a different machine. Purchase or generate a proper certificate for this service solution provided on other sites : "Purchase or generate a proper certificate for this service." What is the proper solution to go away for this vulnerability from linux machines and how to implement the solution ?
