349 – Technical information leak - Credentials

Description

When the login page is accessed, a request is triggered in whose response includes an unminified and non-obfuscated script in which the BotChat Direct Line Secret Key can be read in plain text.

Impact

Obtain the direct line secret key and connect directly to the application bot.

Recommendation

- Minify and obfuscate binaries. - Use a vault service or environment variables to protect sensitive information.

Threat

Anonymous attacker consults the login page.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: N
• Confidentiality (VC): L
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 077 - Avoid disclosing technical information
• 176 - Restrict system objects

Fixes

• Csharp
• Go
• Java
• Ruby
• Scala
• Typescript

Last updated

2024/02/19