User name and password are transmitted as HTTP request params and can be
easily extracted
The content of the user dialog box is sent as plain text and can be modified
Login.jsp and error.jsp are accessible from outside the server and can be stolen
The target server is not authenticated and can be substituted
User name is transmitted as HTTP request param and the password can be found
via brute force method
J_security_check servlet is accessible from outside the server and could be
hacked
HTTP connection can break and user name and password will lost
|