Security Flaws in ASP

Examine the code and find out at least four security flaws. Write a report about the security flaws. You need to explain clearly what security flaws you have found and the reason, or reasons, why they are flaws. You should also propose changes to fix the security flaw you found.

There are at least four security flaws within the framework of the code itself.

1. Flaw #1: Passwords are stored in an easy access .txt file
   This problem is a major issue and security hole to this system of files. All the user names and passwords can be easily lifted from this file and since it is names "passwords" it is easy to guess what the contents of the file are. To fix this hole in the system, I would suggest that the passwords be kept in a secure database that is password protected and only accessible via a DSN that points to a location on a network instead of explicitly naming the location of the database.
   
   
2. Flaw #2: Password field in form is set to type text instead of password
   This security flaw can be a problem if snooping eyes happen to view the screen as the user types in their name and password. This is a mild encryption at the client level, nonetheless, it does increase the security level and allows the user to feel secure that the password will not be accessible over their shoulder. It is normal best practice to set the HTML input type to password instead of text. An example is below:

   original		modified as password
   Name: Password:		Name: Password:

   
   
   
3. Flaw #3: The server that the code resides on may not necessarily be secure
   The information passed from the login to the verification page could be compromised. Although the password can be visually "encrypted" on the client machine, the information is still sent as clear text over the internet. The name/password pair could then be reused and the system compromised. I would suggest making sure that these pages all reside on a server that is SSL secure at the least.
   
   
4. Flaw #4: Error checking and logging of attempts is missing
   The login verification page should have a limiting component to it that would disallow an infinite number of attempts at the name/password combination. I would suggest adding in a maximum of three attempts before shutting off access to the rest of the pages.

Home > Assignment #5

Jin Park