Our client made a penetration test for our Mendix application . They found three low risk issues: 1- Clear Text submission of Password: Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. And they recommend to use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. We were using Hashing algorithm SSHA256 . I do not know if we use BCrypt ,It may fixes this issue or not? 2-Password field submitted using GET HTTP method: They recommend to use Post method instead of Get method. So if I update the login.html page as follows , It would fixes that issue ? <form id="login" class="loginForm" method="POST" > 3-Password field with autocomplete feature enabled: Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application. So if I update the login.html page as follows , It would fixes that issue ? <input type="password" name="password" class="formInput" autocomplete="off" />
1) If you run 'on premise', it's your choice whether you host your application on HTTP or HTTPS, this is not related to whether you're using SSHA256 or BCrypt. . We do recommend BCrypt for the scenario where your database is somehow compromised though.
2) The login is already done using POST, the 'loginForm' form element is only there to make sure the HTML looks nice. Did they just look at the HTML? If you watch the traffic you will see a POST being used.
3) I don't know enough on that topic, I would suggest to test it :)
Sebastiaan van den Broek
don't use the field option but disable autocomplete on form level.