Foros de discusión
Login password appears in the clear in the request headers
Mashuk Choudhury, modificado hace 7 años.
Login password appears in the clear in the request headers
Junior Member Mensajes: 33 Fecha de incorporación: 31/01/14 Mensajes recientes
Hi,
In our organization, our security teams have scanned a number of websites which are hosted on Liferay 6.2 GA5 CE and their scanning tools have picked up on the fact that the login password can be seen in the clear when using something like Chrome Developer toolbar. We are using the default authentication model from Liferay.
In order to see this, I open a Chrome browser and enable the developer tools and go to the Network option and then I navigate to a login page of a Liferay hosted website. I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.
I am unsure of how to go about resolving this, any help would be much appreciated?
Thanks
Mashuk
In our organization, our security teams have scanned a number of websites which are hosted on Liferay 6.2 GA5 CE and their scanning tools have picked up on the fact that the login password can be seen in the clear when using something like Chrome Developer toolbar. We are using the default authentication model from Liferay.
In order to see this, I open a Chrome browser and enable the developer tools and go to the Network option and then I navigate to a login page of a Liferay hosted website. I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.
I am unsure of how to go about resolving this, any help would be much appreciated?
Thanks
Mashuk
Archivos adjuntos:
Pankaj Kathiriya, modificado hace 7 años.
RE: Login password appears in the clear in the request headers
Liferay Master Mensajes: 722 Fecha de incorporación: 5/08/10 Mensajes recientes
AFAIK, this happens with every other web-sites.
One possible solution can be encrypt/hash password field(using javascript before form submit) and decrypt/unhash it (before actual authentication happens).
One possible solution can be encrypt/hash password field(using javascript before form submit) and decrypt/unhash it (before actual authentication happens).
Olaf Kock, modificado hace 7 años.
RE: Login password appears in the clear in the request headers
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientesMashuk Choudhury:
I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.
Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?
There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.
Mashuk Choudhury, modificado hace 7 años.
RE: Login password appears in the clear in the request headers
Junior Member Mensajes: 33 Fecha de incorporación: 31/01/14 Mensajes recientesOlaf Kock:
Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?
There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.
When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.
Olaf Kock, modificado hace 7 años.
RE: Login password appears in the clear in the request headers
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientesWhen I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.
I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.
Mashuk Choudhury, modificado hace 6 años.
RE: Login password appears in the clear in the request headers
Junior Member Mensajes: 33 Fecha de incorporación: 31/01/14 Mensajes recientes
I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.
So the problem was that the user credentials were being transmitted over http rather than https. So transmitting over https will be sufficient to resolve this.
Thanks to everyone who posted to this thread.
Chanakya P, modificado hace 1 año.
RE: Login password appears in the clear in the request headers
Junior Member Mensajes: 72 Fecha de incorporación: 17/02/14 Mensajes recientes
Hi Team,
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.
Olaf Kock, modificado hace 4 años.
RE: Login password appears in the clear in the request headers
Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientesChanakya P:
What's wrong with the answer here, and the one that I gave yesterday?
Hi Team,
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.