Learn More
Resend Email
13
Worst security bug/feature you've seen?
Week 25 Group Rant
ninjaneard
7y

Client asked us to modify site made in some obscure CMS. Authentication on AJAX request is done by sending email and password as plaintext in header and then it would do md5 on server side

undefined

wk25
Favorite
Ranter
Comments
  • 4
    7y
    Still better than plaintext on the database.
  • 2
    7y
    @atgg yeah I forgot that is also a feature it can save it as md5 or plaintext in database
  • 0
    7y
    Isn't it the usual way? to send the password in plain text and hash it in the server? (probably not using md5)

    protection must be https
  • 0
    7y
    @johmsalas yeah if system would use https, it uses plain http. And even if it used https I don't think it is a good practice, especially that they use it to authorize every AJAX request they make.
  • 0
    7y
    So you want to hash in browser?
    #OMG
Related Rants
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment