Server using Plain-Text Form Authentication/Security Risk/Change this?

[Wadeone]

Hi folks,

I am fairly new to ASP programming and I've been tasked with securing our website login and registration forms. This is my first post to these forums and I'm hoping someone will be able to set me in the right direction.

We are doing some pre-PCI compliancy scans and one of the vunerabilities noted is "Web Server Uses Plain-Text Form Based Authentication". The solution suggested in the report is "Please contact the vendor of the hardware/software for a possible fix for the issue."

When talking with my co-worker and after some initial research, we guessed that changing the code to send the login and registration forms to our https instead of http would solve our problem. We have gone ahead and accomplished this, ran another scan, but we are presented with the same vuneralbility.

Can someone here clue me as to whether or not we are even on the right track? Is this in fact a code issue, or could it be that the server settings need to be configured differently?

We are using IIS and ASP (not asp.net)

Any guidance or other helpful information would be greatly appreciated.

Thanks,

Wadeone

 

[Sheco]

Remember that HTTP is a text-based protocol.

That said, one of the biggest security threats to your ASP is likly to be SQL Injection.

 

[Wadeone]

Sheco,

Thanks for your reply. I do realize HTTP is text based. It seems that maybe the form results need to be encrypted when sending to satisfy the PCI requirements? If this is the case, does anyone have any thoughts on the best method for this?

Thanks for the reminder on SQL Injection being a threat. We have deterrents in place for that, but I'm sure as we go through this process, we'll be re-visiting those

Thanks again for any guidance or suggestions