Fórum

  1. Início
  2. Portal
  3. Login password appears in the clear in the request headers

Login password appears in the clear in the request headers

Mashuk Choudhury, modificado 7 Anos atrás.

Login password appears in the clear in the request headers

Junior Member Postagens: 33 Data de Entrada: 31/01/14 Postagens Recentes
Hi,
In our organization, our security teams have scanned a number of websites which are hosted on Liferay 6.2 GA5 CE and their scanning tools have picked up on the fact that the login password can be seen in the clear when using something like Chrome Developer toolbar. We are using the default authentication model from Liferay.

In order to see this, I open a Chrome browser and enable the developer tools and go to the Network option and then I navigate to a login page of a Liferay hosted website. I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.

I am unsure of how to go about resolving this, any help would be much appreciated?

Thanks
Mashuk

Anexos:

thumbnail
Pankaj Kathiriya, modificado 7 Anos atrás.

RE: Login password appears in the clear in the request headers

Liferay Master Postagens: 722 Data de Entrada: 05/08/10 Postagens Recentes
AFAIK, this happens with every other web-sites.
One possible solution can be encrypt/hash password field(using javascript before form submit) and decrypt/unhash it (before actual authentication happens).
thumbnail
Olaf Kock, modificado 7 Anos atrás.

RE: Login password appears in the clear in the request headers

Liferay Legend Postagens: 6403 Data de Entrada: 23/09/08 Postagens Recentes
Mashuk Choudhury:
I enter my details and I am able to login. If I then view the first resource in the network option, I can see the request headers and after that I can see the Form Data which shows the login userid and password in the clear. The security team has picked up on this and would like the password to be masked.


Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?

There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.
Mashuk Choudhury, modificado 7 Anos atrás.

RE: Login password appears in the clear in the request headers

Junior Member Postagens: 33 Data de Entrada: 31/01/14 Postagens Recentes
Olaf Kock:

Are you saying: "When I enter my password in the login box, it's being transmitted to the server"?
There's nothing that you can do with it, that is worth thinking about, except forcing https. Anything else will be obfuscating, but not adding security.


When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.
thumbnail
Olaf Kock, modificado 7 Anos atrás.

RE: Login password appears in the clear in the request headers

Liferay Legend Postagens: 6403 Data de Entrada: 23/09/08 Postagens Recentes
When I enter my login details and click submit then its being transmitted. I am checking with the application security team to see if the problem is related to https not being set up correctly on the testing environment.


I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.
Mashuk Choudhury, modificado 6 Anos atrás.

RE: Login password appears in the clear in the request headers

Junior Member Postagens: 33 Data de Entrada: 31/01/14 Postagens Recentes

I'm wondering what your app security team is expecting, or how they'd like the password to be transmitted to the server in order to log in. There's no problem with transmitting a clear text password to the server, if it's done through https. Transmitting an encrypted password would require the transmission of the encryption key as well, which wouldn't make it more secure. That's exactly the problem that https solves.


So the problem was that the user credentials were being transmitted over http rather than https. So transmitting over https will be sufficient to resolve this.
Thanks to everyone who posted to this thread.
Chanakya P, modificado 1 Ano atrás.

RE: Login password appears in the clear in the request headers

Junior Member Postagens: 72 Data de Entrada: 17/02/14 Postagens Recentes
Hi Team,
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.
thumbnail
Olaf Kock, modificado 4 Anos atrás.

RE: Login password appears in the clear in the request headers

Liferay Legend Postagens: 6403 Data de Entrada: 23/09/08 Postagens Recentes
Chanakya P:

Hi Team,
Am also facing same issue even my site having https.
How to disable logged user credentials from Headers?
Can any one help out.
What's wrong with the answer here, and the one that I gave yesterday?