On 03/26/2017 04:43 PM, MustLive wrote: > Brute Force (WASC-11): > > There is no protection against BF attacks in admin panel 192.168.11.254, > because Basic Authentication is used. It is unlikely that the owner will > change login and password for admin panel. But if will change, then they > can be picked up.
This conflates two issues, and anyhow, Basic Authentication is not a problem (Digest won't be any more secure than Basic, if SSL is used... is it present?). > > Cross-Site Request Forgery (WASC-09): > > There are CSRF vulnerabilities in admin panel. Such as this one: in login > process there is no captcha, so besides lack of protection against BF, also > CSRF attack can be made. It's possible to remotely enter into admin panel > (with default login and password) for conducting further CSRF attacks. CAPTCHA has nothing to do with CSRF. Neither do default credentials. -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
