Foros de discusión

  1. Inicio
  2. Portal
  3. Login password appears in the clear in the request headers

Login password appears in the clear in the request headers

Mashuk Choudhury, modificado hace 7 años.

Login password appears in the clear in the request headers

Junior Member Mensajes: 33 Fecha de incorporación: 31/01/14 Mensajes recientes
Hi,
In our organization, our security teams have scanned a number of websites which are hosted on Liferay 6.2 GA5 CE and their scanning tools have picked up on the fact that the login password can be seen in the clear when using something like Chrome Developer toolbar. We are using the default authentication model from Liferay.

In order to see this, I open a Chrome browser and enable the developer tools and go to the Network option and then I navigate to a login page of a Liferay hosted website. I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.

I am unsure of how to go about resolving this, any help would be much appreciated?

Thanks
Mashuk

Archivos adjuntos:

thumbnail
Pankaj Kathiriya, modificado hace 7 años.

RE: Login password appears in the clear in the request headers

Liferay Master Mensajes: 722 Fecha de incorporación: 5/08/10 Mensajes recientes
AFAIK, this happens with every other web-sites.
One possible solution can be encrypt/hash password field(using javascript before form submit) and decrypt/unhash it (before actual authentication happens).
thumbnail
Olaf Kock, modificado hace 7 años.

RE: Login password appears in the clear in the request headers

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
Mashuk Choudhury:
I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.


Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?

There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.
Mashuk Choudhury, modificado hace 7 años.

RE: Login password appears in the clear in the request headers

Junior Member Mensajes: 33 Fecha de incorporación: 31/01/14 Mensajes recientes
Olaf Kock:

Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?
There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.


When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.
thumbnail
Olaf Kock, modificado hace 7 años.

RE: Login password appears in the clear in the request headers

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.


I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.
Mashuk Choudhury, modificado hace 6 años.

RE: Login password appears in the clear in the request headers

Junior Member Mensajes: 33 Fecha de incorporación: 31/01/14 Mensajes recientes

I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.


So the problem was that the user credentials were being transmitted over http rather than https. So transmitting over https will be sufficient to resolve this.
Thanks to everyone who posted to this thread.
Chanakya P, modificado hace 1 año.

RE: Login password appears in the clear in the request headers

Junior Member Mensajes: 72 Fecha de incorporación: 17/02/14 Mensajes recientes
Hi Team,
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.
thumbnail
Olaf Kock, modificado hace 4 años.

RE: Login password appears in the clear in the request headers

Liferay Legend Mensajes: 6403 Fecha de incorporación: 23/09/08 Mensajes recientes
Chanakya P:

Hi Team,
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.
What's wrong with the answer here, and the one that I gave yesterday?