Reputation: 178
Hide password in form data while sending a post request
While submitting a form's data,the password is visible in encrypted format inside the form data and also in the parameters of the POST request.
I want to hide the password in the encrypted format.In Burp Suite,the following vulnerability issue was displayed. [![enter image description here][2]][2]
I am using sha-512 for encryption and the url is https. I have been searching on this but all I have found is just to change the protocol to https from http.Please help me how to solve this issue of hiding the form data from showing the password in the POST request header parameters.
Upvotes: 3
Views: 10984
Answers (1)
Reputation: 12085
While submitting a form's data,the password is visible in encrypted format inside the form data and also in the parameters of the POST request
Indeed, the browser shows you all data that has been posted. Effectively the request has been done on behalve of user and you have to assume the user can see all information he/she has posted.
I want to hide the password in the encrypted format.
just to change the protocol to https from http
Yes, this is the correct answer, https ensures the traffic is encrypted and server authenticated and anybody sniffing out the traffic would be unable to decrypt any of posted data. What you see in the browser are data before encryption and actual transmission.
I am using sha-512 for encryption
Nope, seems you just hashed some data (please search and learn the difference between encryption and hashing), now the hash has became the password, now you need to protect the hash.
CWE-204
Nothing you've shown indicates the CWE-204 vulnerability. What you've shown is a normal post request and response with a session cookie and redirect url. Your system may or may not have the CWE-204 vulnerability, though it has nothing to do with the data you've provided.
Please help me how to solve this issue of hiding the form data from showing the password in the POST request header parameters
Now there's a question:
Is the password provided by the user and do you want to hide the password from any 3rd party (potentially sniffing out the traffic)? Then using https will do the trick. The user may still see the posted data (including the password), but well - the user provided the password, he knows it already.
If the "password" some system parameter you want to pass in the form without the user able to know it? In theory - you may encrypt the password on the server-side and decrypt the password on the target system. However - the user may just post the encrypted password again. Then you may rather use time-limited JWT token.
Upvotes: 6
Related Questions
- POST form values over HTTPS
- Passing encrypted data by POST in the form in PHP
- How to hide password from Post request url and browser dump
- Javascript Encrypt pass before POST
- Hashing a password before form submission on Server
- Sending data to form, but cant work out encrypted post data - work around
- Encrypt Post Data Before Sending
- encrypt form post data before jQuery serialize
- Submitting a Javascript form without plaintext password
- Encrypting/Decrypting a POST form