You are not logged in.
Pages: 1
Hi,
I have realized that when I change a user password, ReportServer makes the following requests:
Request:
POST http://localhost/reportserver/crypto
... net.datenwerke.security.ext.client.crypto.rpc.CryptoRpcService|getHmacPassphrase|1|2|3|4|0|
Response:
//OK[1,["This is the Passphrase used to compute the HMAC key for reportServer passwords."],0,7]
-----------
Request:
POST http://localhost/reportserver/crypto
... net.datenwerke.security.ext.client.crypto.rpc.CryptoRpcService|getSalt|1|2|3|4|0|
Response:
//OK[1,["The salt to be used for encryption. This should simply be a long string."],0,7]
----------
Request:
POST http://localhost/reportserver/crypto
Response:
//OK[128,[],0,7]
----------
Request:
POST http://localhost/reportserver/crypto
net.datenwerke.security.ext.client.crypto.rpc.CryptoRpcService|getUserSalt|1|2|3|4|0|
Response:
//OK[1,["XXXXXXXXXXXX"],0,7]
----------
Request:
POST http://localhost/reportserver/security_password
net.datenwerke.security.ext.client.password.PasswordRpcService|changePassword|java.lang.String/2004016611|Z|oldPasswordEncrypted|NewPasswordEncrypted|1|2|3|4|3|5|5|6|7|8|1|
Response:
//OK[[],0,7]
----------
I think these requests should not be made on the client side because they are leaking sensitive information (HMAC passphrase, salt, user salt, encrypted password) and they can be intercepted by using a local proxy like OWASP ZAP. These operations should be performed on the back-end side and being transparent for the user.
Is there any configuration to avoid this behavior?
Regards.
Offline
Hi eduardo,
could you help me with this issue, please?
Thanks in advance.
Offline
Pages: 1