Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Server using Plain-Text Form Authentication/Security Risk/Change this?

Status
Not open for further replies.
Wadeone

Wadeone

Programmer
Jul 19, 2007
2
US
Hi folks,

I am fairly new to ASP programming and I've been tasked with securing our website login and registration forms. This is my first post to these forums and I'm hoping someone will be able to set me in the right direction.

We are doing some pre-PCI compliancy scans and one of the vunerabilities noted is "Web Server Uses Plain-Text Form Based Authentication". The solution suggested in the report is "Please contact the vendor of the hardware/software for a possible fix for the issue."

When talking with my co-worker and after some initial research, we guessed that changing the code to send the login and registration forms to our https instead of http would solve our problem. We have gone ahead and accomplished this, ran another scan, but we are presented with the same vuneralbility.

Can someone here clue me as to whether or not we are even on the right track? Is this in fact a code issue, or could it be that the server settings need to be configured differently?

We are using IIS and ASP (not asp.net)

Any guidance or other helpful information would be greatly appreciated.

Thanks,

Wadeone
 
Sort by date Sort by votes
Remember that HTTP is a text-based protocol.

That said, one of the biggest security threats to your ASP is likly to be SQL Injection.
 
Upvote 0 Downvote
Sheco,

Thanks for your reply. I do realize HTTP is text based. It seems that maybe the form results need to be encrypted when sending to satisfy the PCI requirements? If this is the case, does anyone have any thoughts on the best method for this?

Thanks for the reminder on SQL Injection being a threat. We have deterrents in place for that, but I'm sure as we go through this process, we'll be re-visiting those;)

Thanks again for any guidance or suggestions:)

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
READ TEXT FILE BASED ON VARIABLE 1
Replies
2
Views
204
guitarzan
guitarzan
bslintx2021
  • Locked
  • Question
How to configure IIS 10 server to allow Classic ASP to connect to MSSQL server database on a domain
Replies
1
Views
519
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
Using date picker gives an error message, only at application start
Replies
1
Views
202
MarkSweetland
MarkSweetland
Papa Bear
  • Locked
  • Question
Sending emails using CDOSYS
Replies
0
Views
78
Papa Bear
Papa Bear
krabban
  • Locked
  • Question
Using application("something") along with regular expressions
Replies
0
Views
86
krabban
krabban

Part and Inventory Search

Sponsor

Back
Top