Product-apim: Password is flowing in plain text while logging in APIM

Created on 11 Mar 2020  ·  7Comments  ·  Source: wso2/product-apim

Description:


Password is Flowing in plain text when user logging into all module in APIM

Steps to reproduce:

  1. Login in https://localhost:9443/publisher while making inspect mode on in browser

Once login , Please check form data in Header tab password is showing in plain text

image

While according to OWASP A3-Sensitive Data Exposure ,password can't travel in plain text format and it should be prevent by following

  1. Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
  2. Disable caching for response that contain sensitive data.
  3. Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.

Please look into it and help as this is the major concern and can we include this in final version of 3.1 . It will be highly appreciated .

Affected Product Version:


All Version of APIM

Environment details (with versions):

  • OS: Window 10
PrioritNormal TypBug
Source
picture ashishpilania18

Most helpful comment

@ashishpilania18 I don't see a problem here. Browser Network tab is supposed to show you the plain text values of the form you are submitting. If you are using https form will be encrypted when it is transmitted on the wire (when going out of the browser).

picture praminda on 11 Mar 2020
👍4 👎1

All 7 comments

@ashishpilania18 I don't see a problem here. Browser Network tab is supposed to show you the plain text values of the form you are submitting. If you are using https form will be encrypted when it is transmitted on the wire (when going out of the browser).

praminda picture praminda on 11 Mar 2020
👍4 👎1

@praminda
I am understood but as per security guidelines by OWASP , it should be encrypted before sending over https at client end ,So at client end also no one can see the password .

ashishpilania18 picture ashishpilania18 on 11 Mar 2020

I still have my concerns regarding how a third party can exploit this. Anyway since this is a security related issue can you please report this issue according to project security policy at https://github.com/wso2/product-apim/security/policy

praminda picture praminda on 11 Mar 2020

@praminda
For example i had put one sniffer in your network and while you are logging in I am sniffing all your packets which you are sending . So before the packet reach over https from your http network I will have your password and which will make complete system vulnerable
Please have a look into it

ashishpilania18 picture ashishpilania18 on 11 Mar 2020

Hi @ashishpilania18 ,

No that is not possible with How HTTPS works, sniffing in the middle means you should have the private key of the API Manager server isn't it ?

tmkasun picture tmkasun on 13 Mar 2020

@tmkasun

For security reason we had put your application over WAF , and as due to this one can easily view password over WAF .So to avoid this We required password hashing over TLS . Please help and suggest any method to implement this at our end .

ashishpilania18 picture ashishpilania18 on 13 Mar 2020

@tmkasun

Please Help in this regard and suggest any change we can do it at our end and make it happen

ashishpilania18 picture ashishpilania18 on 19 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

HiranyaKavishani picture HiranyaKavishani  ·  5Comments
isharac picture isharac  ·  11Comments
okhuz picture okhuz  ·  8Comments
molinab297-unisys picture molinab297-unisys  ·  6Comments
Thangthanh picture Thangthanh  ·  3Comments