Summary #

Invicti identified an RSA private key in the web site.

When you try to login to a secure server, client application uses a digital signature to prove that you have the private key; the server checks that the signature is valid, and that the public key is authorized for your username. If all is well, you are granted access.

Impact #

When the private key is unprotected with a passphrase, anybody who steals the key can log into everything you have access to.

Even if it is protected with a passphrase, the attacker can try a huge number of possible passphrases, even with moderate computing resources. If your passphrase is a dictionary word, it can probably be broken in a matter of seconds.

Remediation #
  • Remove this kind of sensitive data from the output.
Classifications #
CAPEC-118; CWE-200; ISO27001-A.18.1.3; WASC-13; OWASP 2013-A6; OWASP 2017-A3 , CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo