Undeliverable: Application Security Issue
| Sr. No. | Security Issue name | Asset Name | Risk Rating |
|---|---|---|---|
| 1 | Password replay attack | Robotic process automation - Vyom | MEDIUM |
Solution:
Check with the below points-
1) Password Replay attack:-
This can be determined by the optional configuration setting as follows-
- Edit the TOMCAT_HOME/webapps/aeengine/WEB-INF/classes/application.properties.
- Change the following setting in the file-
- ae.check.logintime=false to ae.check.logintime=true
- You will have to restart the server after this change.
This will ensure that it uses different encryption each time, and password replay attacks will fail.
Note that this setting needs to be done whenever the engine.war file is re-deployed (upgraded).
2) Sensitive information disclosure:-
This issue talks about two files-
a) aeui-config.properties:
This file does not contain any sensitive information. However, since this file is stored encrypted, it's not exposing any of the data that it holds.
b) en-US.json
This is a false positive case. This particular file is the localization of all the UI labels that are displayed. The highlighted item 'Database Type' is the string displayed on the UI as a label of a field where the user enters a value of the database type (e.g. Postgres, oracle etc.). It doesn't disclose the system's DB type.