Skip to content

Find and fix sensitive info in mongo #1454

New issue
New issue
Closed
#1485
Closed
Find and fix sensitive info in mongo#1454
#1485
Assignees
VakarisZ
Labels
BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: MediumImpact: CriticalSecuritysp/5
@VakarisZ

Description

@VakarisZ
VakarisZ
opened on Sep 6, 2021

Describe the bug

If a password is used to exploit a machine, it gets stored in the report in plaintext.

To Reproduce

Steps to reproduce the behavior:

  1. Exploit machine with any brute-force exploiter
  2. Generate a report
  3. Check mongodb
  4. The password used for exploit is stored in plaintext

Expected behavior

Use the same mechanism we use for configuration.

Tasks

  • Do a realistic monkey run and audit the database searching for sensitive plaintext information (0d) - @VakarisZ
  • Write a function to encrypt values in a dictionary based on keys specified (0.25d) @VakarisZ
  • Separate the report/telemetry/whatever and the db access with a layer of encryption (0d) @VakarisZ

Metadata

Metadata

Assignees

Labels

BugAn error, flaw, misbehavior or failure in the Monkey or Monkey Island.Complexity: MediumImpact: CriticalSecuritysp/5

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions