CA Identity Portal: Hashed password disclosed in API call

Document ID : KB000100294
Last Modified Date : 06/06/2018
Show Technical Document Details
Issue:
While performing vulnerability testing you may find hashed passwords of users are returned and can be captured using a local proxy combined with penetration testing tool like Burp suite

The step to reproduce: 
1. In internet options, set proxy to 127.0.0.1:8080 
2. Set up Burp Suite to capture local network traffic at 127.0.0.1:8080 
3. Login IdP with an admin user and invoke Modify User 
3. (Define a predefine filter in Admin UI before hand) Predefined filter will populate the users in search screen. 
4. in Burp suite locate the predefined filter search entry and click the Response tab (screen shot is in the report) and the hashed password are visible. 
Resolution:
This is a configuration issue. You'll need to remove the Password attribute from the list of configured User Attribute and then remove it from the Search results configuration.

In Identity Portal Admin UI, go to the Setup tab and open the Managed Object Attributes. Remove the Password attribute from the User Attributes list. Then, remove references to this attribute in all the modules search results configuration - open the Search tab of a module and verify this attribute is not used in the Result Text tab. After making these changes, the password won't be sent to the client side anymore.