Skip to main content

Technical information leak - Credentials

Description

When the login page is accessed, a request is triggered in whose response includes an unminified and non-obfuscated script in which the BotChat Direct Line Secret Key can be read in plain text.

Impact

Obtain the direct line secret key and connect directly to the application bot.

Recommendation

  • Minify and obfuscate binaries.
  • Use a vault service or environment variables to protect sensitive information.

Threat

Anonymous attacker consults the login page.

Expected Remediation Time

⌚ 60 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.1
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application does not contain any method that contains sensitive information

const logIn = (req, res) => {
if (isValidUser(req.body.user) && isValidToken(req.body.user.token)) {
//Avoid external scripts that contain sensitive information
res.message("Successful login");
redirect('users/main');
}
}

Non compliant code

There are scripts being used that contain plain text access keys

const logIn = (req, res) => {
if (isValidUser(req.body.user) && isValidToken(req.body.user.token)) {
//the callScript method stores a secret key in plaint text
res.message(callScript());
redirect('users/main');
}
}

Requirements