Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Revise 'Weak Login Function' subcategory

See original GitHub issue

As discussed in #127 it was decided to keep current P3 severity rating of Broken Authentication and Session Management > Weak Login Function > Over HTTP. However the discussion provoked a more in depth analysis of how the VRT addresses this issue. As a result we would like to propose a more granular classification. Please see the image with two potential options:

screen shot 2018-02-21 at 8 42 53 pm

As always all feedback is appreciated!

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:1
  • Comments:19 (9 by maintainers)

github_iconTop GitHub Comments

truemongocommented, Feb 22, 2018

I think the question of whether this is a useful bug class to customers, and whether its actually being fixed or simply being ignored, can be resolved rather easily: pull all submissions of “Login over HTTP” from the past 6 months, and compare the number of “unresolved” to “resolved” ones.

plr0mancommented, Feb 23, 2018

But I don’t think the FTP part is a very good idea, is this already being reported?


There are many more protocols that do not use encryption are we gonna put them all in the VRT and increase the farm grounds?

As long as there’s any benefit from distinguishing every single insecure protocol then yes, otherwise a protocol-agnostic entry could be a better option. It is surprising to see that this would be considered a bad thing. Aren’t we here to make our customers secure?

I still think login over http is a breeding ground for farming. It’s possible to get to the top of the monthly leaderboard with pure volume of duplicate P3’s

We have not observed it being used this way

it’s less of a hassle for them to click a “give 2 kudos points” each time rather than going through the letsencrypt process and actually setting up certificates on the 100 random hosts they have on the Internet

Please see below

pull all submissions of “Login over HTTP” from the past 6 months, and compare the number of “unresolved” to “resolved” ones.

That is a good idea, but as @jhaddinx mentioned the other day, the unresolved/resolved states are not an accurate way to measure what was actually fixed. We dug a little bit deeper here and actually checked what was fixed, the numbers look good and the proposed changes relate to those to some extent, with the exception of staging instances, which I would love your opinion on

Read more comments on GitHub >

github_iconTop Results From Across the Web

Weak Login Function | Pentest Vulnerability Wiki -
Penetration testing for a common vulnerability such as a weak login function can be easy with a PtaaS platform. Learn more with the...
Read more >
Access control vulnerabilities and privilege escalation
For example, an administrator might be able to modify or delete any user's ... Some applications determine the user's access rights or role...
Read more >
CWE-284: Improper Access Control (4.9) - MITRE
This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, ...
Read more >
Monitoring Active Directory for Signs of Compromise
This subcategory reports changes to objects in AD DS. The types of changes that are reported are create, modify, move, and undelete operations ......
Read more >
10 Common Web Security Vulnerabilities - Toptal
The poor man's security misconfiguration solution is post-commit hooks, ... as an attacker can always forge a request to the “hidden” functionality.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found