Here are some security improvements suggested to be implemented:
*It was observed that application is allowing an user to reuse the old password. Application should not allow to reuse the old password for specifc period while using the change password functionality
*It was observed that sensitive information like username is transmitting in a cleartext format with the cookie. Use the strong encryption technique to encrypt the sensitive information sending through cookie if required else remove sensitive information like username from cookie.
*During the course of the audit it was identified that the password complexity not implemented or enforced strictly towards application. It was observed that application password is very weak and easily gussable.The application should ensure that:
- Password history should be maintained.
- Password should contain alphanumeric characters and special characters as well.
- Length of Password should be greater than or equal to 8 digits. 3. Password should not be same as userid.
*Session timeout is not set in the application
*Through “Reset Functionlity” feature available in the application, email flodding attacks could be possible.