Open ashishpilania18 opened 4 years ago
@ashishpilania18 I don't see a problem here. Browser Network tab is supposed to show you the plain text values of the form you are submitting. If you are using https
form will be encrypted when it is transmitted on the wire (when going out of the browser).
@praminda I am understood but as per security guidelines by OWASP , it should be encrypted before sending over https at client end ,So at client end also no one can see the password .
I still have my concerns regarding how a third party can exploit this. Anyway since this is a security related issue can you please report this issue according to project security policy at https://github.com/wso2/product-apim/security/policy
@praminda For example i had put one sniffer in your network and while you are logging in I am sniffing all your packets which you are sending . So before the packet reach over https from your http network I will have your password and which will make complete system vulnerable Please have a look into it
Hi @ashishpilania18 ,
No that is not possible with How HTTPS works, sniffing in the middle means you should have the private key of the API Manager server isn't it ?
@tmkasun
For security reason we had put your application over WAF , and as due to this one can easily view password over WAF .So to avoid this We required password hashing over TLS . Please help and suggest any method to implement this at our end .
@tmkasun
Please Help in this regard and suggest any change we can do it at our end and make it happen
Description:
Password is Flowing in plain text when user logging into all module in APIM
Steps to reproduce:
Once login , Please check form data in Header tab password is showing in plain text
While according to OWASP A3-Sensitive Data Exposure ,password can't travel in plain text format and it should be prevent by following
Please look into it and help as this is the major concern and can we include this in final version of 3.1 . It will be highly appreciated .
Affected Product Version:
All Version of APIM
Environment details (with versions):