HCL SW Blogs
HCL SW Blogs
Select Page
Marketing & Commerce
  |  April 22, 2019

Exposing an Application Level Security Bug

Swati Rajput
Swati Rajput
Application Level Security Bug
​Today, we are going to discuss about a very common scenario that can compromise the security of your applications. Whenever developers do authentication in any secured (HTTPS) application and we end up using any testing tool (burp/fiddler), the password gets visible at the application level. If you believe that exposed credentials are a risk to the application then you are correct.
​For example-  My application has username: swati and Password is password. This is how the credentials are exposed when I used the Fiddler tool for intercepting the request
​I have tested the application using the Fiddler tool and now explaining how it works.
There are three component here in case 1- Client device, 2- Interceptor(Burp or Fiddler), 3- Application Sever.
Step you might follow:
1 – You enter HTTPS enabled url in Browser and try to intercept in Fiddler, while you try to intercept. you will get fiddler prompt “HTTPS Decryption is disabled click to configure”, and you clicked on that prompt and that will redirect you to Fiddler -> Options -> HTTPS, and you checked on Decrypt HTTPS traffic which will ask you to install Fiddler root certificate, and ask you to configure in windows.
​If you select yes then Windows prompt you with warning  like
​If you click yes, again windows will prompt:
​If you click on yes, then with your consent you trusting on fiddler certificate and added to your device.
​In Windows Certificate manager you are able to see fiddler added certificate

​In doing so, you explicitly begin to trust any certificate signed by Fiddler’s root certificate. When you now make a https request, Fiddler will perform a Man in the middle attack with you.

In all you trusted Fiddler to decrypt your HTTPS request, by enabling to install signed certificate in your device, which should not be happen in this case.
Fiddler is installed in your device and from your device only you are accessing HTTPS site through installed browser, that’s not actually man in the middle you have all the things with you.
No one can installed any software or any CA certificate without your consent in your device, If you allow to do so, then no one can stop you.
If a person(intruder) wants to install CA certificate in your machine from his machine by some means, will you allow, I think you won’t. Then you are safe here.
I hope that this piece of information will help you to be more aware of the security risks while authenticating third party software.

Comment wrap
Swati Rajput
Swati Rajput
Swati Rajput is an IBM Certified Big Data Architect working as a Technical Analyst and a Client Advocate for the Marketing Suite at HCL.
Read more

Topics in this article:

Version 11.1

Submit a Comment

Your email address will not be published. Required fields are marked *

* HCL provides software and services to the U.S. Federal Government through its partner Four, Inc. Please contact Four, Inc. at the U.S. Federal Government contact page.


Further Reading
unica
unica
leapfrog to Unica V12.0
Marketing & Commerce | May 4, 2020
Why you can leapfrog to Unica V12.0?
One of the most common questions we hear from Unica users is which version to upgrade to. The general concern is adaptability, as well as the stability of the latest software version.
Aybuke Kini
Aybuke Kini
Client Advocacy Manager, Unica
unica
unica
ActiveMQ Configuration for Flowchart Monitoring
Marketing & Commerce | September 17, 2019
Unica Director – ActiveMQ Configuration for Flowchart Monitoring
Unica Director provides the users with the capabilities to monitor Campaign flowcharts. This allows the user to see flowchart execution data like (running, stopped, paused, completed, failed), etc.
Rahul Bhagat
Rahul Bhagat
unica
unica
The Unica Journey
Marketing & Commerce | August 22, 2019
The Unica Journey – Our vision for future and Quick peek down the memory lane
Unica has enjoyed leadership for ground-breaking innovations in the marketing automation space. Find out where unica is headed in future and its journey
Karunesh Abrol
Karunesh Abrol
Global Director at HCLSoftware
Close
Filters result by
Sort:
|
ProductsRESET