Good Day!
I'm having a dilemma configuring with Moodle's security.
When I try to login, the username and password typed in the login form can be seen in plain text when I intercept the site using Burp Suite.
I
I have already done my part:
1. Hosting the whole site in HTTPS. (Site cannot be accessed thru http only).
2. Enabling "https for logins" in HTTP Security setting.
3. I checked what method is being used during form submit which is "POST".
4. My self-signed certificate is making my browser identify my moodle site as being "Secured" with a padlock icon. (Properties: TLS 1.2, AES with 256 bit encryption (High); ECDH_P256 with 256 bit exchange).
My question is... is moodle capable of hashing or encrypting the username and password being submitted on the client side? I am also confused why https and TLS connection is not encrypting the login form during form submit.
are there any other solution to solve this vulnerability? Our Security Office found this issue during their Vulnerability and Penetration testing.
Thank you so much in advance for accommodating my concerns!