SOLVED
Home

ADFS Clear text password visible

Preeti Kawa
Regular Visitor

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool & found VA. When the user tried to access the portal from Outside network, it will be redirected to ADFS proxy page. The user will provide the credentials, and we started interceptor tool and this tool retrieved the credentials which is passed through viewstate in clear text format. But when we used the same tool to access bank sites (they may use form based authentication and credentials are encrypted) and tool retrieved the credentials in encrypted form. Need support in blocking VA point of clear text password visible.

2 Replies
Solution

I'm not quite sure what the problem is or where the interceptor you mentioned is located. 

 

When user enters credentials in AD FS proxy, they are plain text. But the connection between user's browser and AD FS proxy is SSL secured and so is the connection between AD FS proxy and AD FS server.

I have also witnessed the same thing, inside browse if you inspect the connection, the username, and password visible in plain text and it is very much visible to anyone who gains access to the pc/browser.

 

Microsoft is relying on TLS connection when the communication from Browser to the server and further to Kerberos process happen. That is perfect no issue on it.

 

However, in case the malicious agent gain access to a browser and it is very much possible It’s easy for him to find the password and username.

The tool is used for SSO hence this password will be enabled him/her to gain access to all the application.

 

In my opinion, the formfactor authentication should be encrypted at least the password at the time user has entered.


@Preeti Kawa wrote:

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool & found VA. When the user tried to access the portal from Outside network, it will be redirected to ADFS proxy page. The user will provide the credentials, and we started interceptor tool and this tool retrieved the credentials which is passed through viewstate in clear text format. But when we used the same tool to access bank sites (they may use form based authentication and credentials are encrypted) and tool retrieved the credentials in encrypted form. Need support in blocking VA point of clear text password visible.



@Preeti Kawa wrote:

We have integrated ADFS into one of our SharePoint application for authentication. Our internal security team has performed Vulnerability Assessment & found high severity VA point of AD password visible in Clear text. they have installed interceptor tool & found VA. When the user tried to access the portal from Outside network, it will be redirected to ADFS proxy page. The user will provide the credentials, and we started interceptor tool and this tool retrieved the credentials which is passed through viewstate in clear text format. But when we used the same tool to access bank sites (they may use form based authentication and credentials are encrypted) and tool retrieved the credentials in encrypted form. Need support in blocking VA point of clear text password visible.



 

Related Conversations
Problems with formating text within a cell.
Maciej Fox in Excel on
10 Replies
Password Generation and Password Reveal are Not working
HotCakeX in Discussions on
5 Replies
Re-request password
Serhii Zahuba in Outlook on
9 Replies
Bug in Edge insider password manager
HotCakeX in Discussions on
15 Replies