Recently, I scanned my web-site for security issues and I found below Vulnerability.
Unencrypted Login Form (10595)
An unencrypted login form has been discovered. Any area of a web application that possibly contains sensitive information or access to privileged functionality such as remote site administration functionality should utilize SSL or another form of encryption to prevent login information from being sniffed or otherwise intercepted or stolen. If the login form is being served over SSL, the page that the form is being submitted to MUST be accessed over SSL. Every link/URL present on that page (not just the form action) needs to be served over HTTPS. This will prevent Man-in-the-Middle attacks on the login form. Recommendations include ensuring that sensitive areas of your web application have proper encryption protocols in place to prevent login information and other data that could be helpful to an attacker from being intercepted.
Fixed using method 1:
I fixed this Unencrypted Login Form issue and going to share it with you. There is very simple way to fix Unencrypted Login Form issue.
If you used <asp:Login> tag for login form than it will set the action automatically which cause the Unencrypted Login Form issue. You need to set the “DestinationPageUrl” property of <asp:Login> tag to resolve this issue.
If you are not set the “DestinationPageUrl” property of <asp:Login> tag than its set default return url using the get method. When you use the get method in form tag than it will cause Unencrypted Login Form issue.
Fixed using method 2:
If you used <form > tag and passing parameter using get method than you get this Unencrypted Login Form issue in security scan result. Please use post method to resolve this issue.
Incoming search terms:
- remediation unencrypted login form
- unencrypted login form vulnerability