The configuration in C:\Users\Administrator\Source\Repos\WebGoat.NET\WebGoat\web.config was configured to use forms authentication and requireSSL was not set to true in the following authentication section:
The application is configured to use forms authentication and does not require SSL for forms authentication requests. An attacker could eavesdrop on forms authentication requests sent over HTTP and learn user credentials.
Recommendation
The forms authenticaton section's requireSSL attribute should be set to true, as is shown in the following example:
Vulnerability ID: QOW9-4PWR-GWL8-WZGX
Application Name: IISexpress-Goat2
Vulnerability Link: https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/6119fcd6-5a74-48e8-aff8-092520138ef3/applications/99b90da9-b3c6-45a7-b40c-b481c850b33c/vulns/QOW9-4PWR-GWL8-WZGX
What Happened?
The configuration in C:\Users\Administrator\Source\Repos\WebGoat.NET\WebGoat\web.config was configured to use forms authentication and requireSSL was not set to true in the following authentication section:
<forms name="customer_login" timeout="30" loginUrl="~/WebGoatCoins/CustomerLogin.aspx" requireSSL="false" protection="All" path="/"><credentials passwordFormat="Clear"><user name="admin" password="admin" /><user name="mario" password="luigi" /><user name="bob" password="password" /></credentials></forms>
What's the risk?
The application is configured to use forms authentication and does not require SSL for forms authentication requests. An attacker could eavesdrop on forms authentication requests sent over HTTP and learn user credentials.
Recommendation
The forms authenticaton section's requireSSL attribute should be set to true, as is shown in the following example:
<authentication mode="Forms"><forms requireSSL="true" ...
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
http://msdn.microsoft.com/en-us/library/system.web.configuration.formsauthenticationconfiguration.requiressl.aspx