Securing and/or encrypting (hiding) POST variables in a jQuery ajax request

Question

I have an invite form on a web application I am working on. This invite form requires the user to select an email account and then enter a username and a password. These details are sent as POST variables via an ajax request using jQuery. The problem is that I can see the entered password (as well as other POST variables) in plain text using mozilla plugin FireBug.

I believe being able to see the password in plain text (in Firebug) is not ideal. Is there anyway I can prevent this? I tried making the ajax call FROM a page served over HTTPS and made the request over HTTPS as well but I can still see all the POST variables in plain text in Firebug.

Is there some way I could encrypt these variables client-side and then decrypt them on the server-side? Or is there some other solution?

Answer 1

I prefer using jsencrypt :

You can Encrypt all input fields & post data before send Ajax using public key. Then Decrypt it server-side with private key.

Note:To improve security it's better to sign(using jsencrypt) the Hashed content(using ex:cryptojs) to achieve Better security.

Hope to be helpful,

Answer 2

Your variables are encrypted for a tool or software which behaves like as man-in-the-middle. Your browser or browser plugin like firebug or google chromes network request and response monitoring panel doesn't behaves as man-in-the-middle. Rather they are valid client who has the key to decrypt response from server or encrypt the data before sending to server.

If you wish to test whether your data are encrypted or not you can use a tool like fiddler or charles as web debugging proxy. Through these tools you can easily see the data going to the https server and response from the server is encrypted.

Answer 3

May be this page will help: http://www.jcryption.org

This library allow to encrypt the data & send using ajax get/post, as variables are encrypted, it very hard to guess the data.

Library use public/private key concept with openssl.

I hope this will be helpful for someone

Answer 4

You are using Firebug at client side for testing and if you are using HTTPS to send post data so that will be in encrypted form while sending to the server so you don't have to worry there isn't possibility of middle-man sniffing attack to retrive the password in plain text if you are using HTTPS.

You can see the password field in firebug because its on client side browser and all the data are visible to you as a developer.

Answer 5

You will always be able to see all of your variables in Firebug. It only means that anyone would only see his own password if he uses Firebug so it is not a vulnerability.

Don't reinvent the TLS/SSL. Just use HTTPS and it will do just that: encrypt these variables client-side and then decrypt them on the server-side.

Answer 6

If you're using HTTPS, there's no need to worry (as long as HTTPS is properly setup, but this isn't relevant to this question).

You can see the values in Firebug because Firebug can see the headers sent by your browser, but no one except the browser can read these data.

Actually, you can't hide the value from Firebug, because the browser has to know what to send and Firebug can access everything your browser can.