CodeProject insecure login
-
Why does CodeProject provide insecure login at the top of the page? If I type the wrong password in the box first time, then it will take me to a https page, which is a good thing. But since CP already has SSL anyway, I don't see a reason to leave this vulnerability?
-
Why does CodeProject provide insecure login at the top of the page? If I type the wrong password in the box first time, then it will take me to a https page, which is a good thing. But since CP already has SSL anyway, I don't see a reason to leave this vulnerability?
If you look at the source of the page, the login form submits to an HTTPS target
<script type="text/javascript">//<!--
function doSubmit(secure)
{
if (secure)
document.subForm.action = "https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2FMessages%2F4365528%2FRe-CodeProject-insecure-login.aspx"
else
document.subForm.action = "https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2FMessages%2F4365528%2FRe-CodeProject-insecure-login.aspx"
document.subForm.submit();
return true;
}//-->
</script><a name="SignUp"></a> <form name="subForm" id="subForm" action="https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fMessages%2f4365528%2fRe-CodeProject-insecure-login.aspx" method="post" class="tight">Dave Find Me On: Web|Facebook|Twitter|LinkedIn
Folding Stats: Team CodeProject
-
If you look at the source of the page, the login form submits to an HTTPS target
<script type="text/javascript">//<!--
function doSubmit(secure)
{
if (secure)
document.subForm.action = "https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2FMessages%2F4365528%2FRe-CodeProject-insecure-login.aspx"
else
document.subForm.action = "https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2FMessages%2F4365528%2FRe-CodeProject-insecure-login.aspx"
document.subForm.submit();
return true;
}//-->
</script><a name="SignUp"></a> <form name="subForm" id="subForm" action="https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fMessages%2f4365528%2fRe-CodeProject-insecure-login.aspx" method="post" class="tight">Dave Find Me On: Web|Facebook|Twitter|LinkedIn
Folding Stats: Team CodeProject
I am aware of that, but it doesn't prevent an MITM attack. Whenever there are input boxes on a page which is not secured, nothing guarantees you that you are not being a victim of a MITM attack. All form post links could be rewritten to send the data elsewhere. Even worse, page could be running a key-logging JavaScript code, and no-one would have a clue that their passwords have being stolen before they even clicked the submit button.