AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Empty Password in Configuration

The attacker can access confidential resources without using any password

Severity

Medium

Fix Cost

Medium

Trust Level

Low

Configuration files are the one of the most popular storage areas to place resource credentials, such as database passwords, ldap connectivity passwords, etc.

Below snippet shows such a configuration piece including using empty password that may be used for authentication.

                            
<configuration>
<appSettings>
<add key="password" value="" />
<add key="secret" value="" />
</appSettings>
            
            

This will enable brute force or dictionary attacks more practical and easy to employ by attackers.

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!