Today, it is still one of the most common vulnerabilities we discover in our application security tests.
How do we discover this vulnerability? It's quite simple, really.
We use WinHex , though any memory viewing tool with search features should do. WinHex lets you view the memory of any process and search through it.
After we log out of the application session, we fire up WinHex and ask it to open the browser's memory. We zoom into the data space used by that session by searching for keywords specific to the session. Our favorite is to search for the password itself. Once WinHex focuses the sights on the right space, we skim through it to see what's still lying around. Honestly, in 90% of the cases, the password is still there!
The risk of passwords lying in memory is that anyone who has access to the computer when the browser window is still open can grab the password, even if SSL is used.
The solution is to reset the password variable after it is posted to the server, or better still to reset it after posting its salted hash to the server. Here's what the Appsec FAQ has to say about salted hashes:
How does the salted MD5 technique work?