Closed mrjones-plip closed 5 months ago
@mrjones-plip What browser are you using? I'm seeing POST requests and no-repro on both Chrome or Firefox. Do you reproduce this there?
oh no! So sorry @kennsippell. I'm using latest FF on Ubuntu 22. I had trouble reproducing it as well, and then I blocked unpkg.com
with the plugin I use and the behavior manifested.
It's reasonable to assume no one is running the same prohibitive plugin I am - so closing ticket.
That said, I do think it would be nice if there weren't any third parties we were dependent on. Filed a ticket!
I just noticed that when logging in, the app does a
GET
request with thedomain
(CHT URL),username
andpassword
passed as a query string. This means that a number of systems just logged the password in the clear, by default:Demo of this is shown in video below and here's a sample node app log entry:
The fix this is to not use the query string. Instead use
POST
when transmitting login credentials. Alternately, HTTP Headers can be used, outside the per view of the query string. For more info, see OWASP's "Sensitive information in HTTP requests".https://github.com/medic/cht-user-management/assets/8253488/f4320926-77cf-47b1-abf5-6e0e7093e04a