Cause: the plaintext account and password are submitted with GET during login. Hazard: 1. The account is not bound with the AD account, although not harmful, however, because the system stores the company's organizational structure and detailed personnel information, this information will be completely leaked 2. It is bound with the AD account to achieve SSO, which causes great harm. Many large companies use SSO, that is, the AD account is the only account of all systems. The leakage of this account and password means that all system accounts and passwords are leaked, the account and password obtained from e-cology are the accounts and passwords of all systems. Therefore, the leaked information includes not only the company's organizational structure and personnel details, but also other information. If the financial system and HR system also use this AD account for verification, almost all information of the entire company can be leaked. Local packet capture: sniff of the switching network: Log On With SSO because the AD account is bound. Based on the obtained account and password, you can directly log on to the Web mailbox, the instant messaging tool Lync, the Project Management System Jira, And the defect tracking system Mantis.
Solution:
No Method