Why is livehttpheaders showing my username and password and how can I prevent it?
I was looking at the livehttpheaders plugin for Firefox and decided to check my login page. I noticed that the parameters shown inside it contain my username and password. For instance:
username=sarmenhb&password=thepassword&submit=Login
in plain English.
I don't see this on other sites.
What could I be doing wrong? I see this as a security flaw. The login page, all it does is validate and register the user. All fields run through mysql_real_escape_string
(in case it is relevant).
The information must somehow get to the server from the client. Use SSL if you are concerned about security.
Even if you do an MD5 hash in Javascript, this one doesn't help because it is trivial to send the hash to the login page and the hash effectively becomes the password. All things are plain text as long as they, or transport, are not encrypted. POST variables, use SSL .
Add from my comment below. You cannot see headers for other sites because they might use AJAX, POST, or some other client-side mechanism for authentication.
a source to share
This reminds me of some building in a big city (I'm sure there are others elsewhere) where they have a web interface for the building's concierge. Residents can log into the website (via http) and indicate (among other things) who is allowed to enter their apartment for renovations, etc. In their absence. I'm sure it was all programmed by someone's nephew who is a "guru".
I'm sure this is, shall we say, good enough .
a source to share
You are seeing this for your site and not others, because livehttpheaders shows the URL for GET requests, but does not display content for POST requests.
Sending login information via GET requests is a minor additional core of security when sending them POSTs, as URLs for GET requests are often logged in different places, whereas almost no one logs the POST content. Is anyone with permission to view web server logs allowed to know the CEO password?
However, as others have pointed out, unless you use https: to login, data is sent over the network in plain text, whether you use GET or POST. This is almost always bad.
However, as an interim measure, I would modify your application to send the username and password as a POST, not a GET, so that you don't store usernames and passwords in your web server logs - it's useless with https over the wire. if you do what then writes the username and password to an insufficiently secure log file on the server.
a source to share
When you use http and submit a form, the content of the form is sent over the wire "in clarity" as you can see. When this form submission includes credentials, then yes, you have a security issue.
Among your alternatives:
- Use https so that the encrypted transmission is encrypted.
- Use OpenID for login, which pushes https credential management on the OpenID user provider
- Use client side Javascript to encrypt credentials before submitting the form
The latter approach tends to get people into trouble if they are not very careful, because the credential encryption mechanism is fully visible to anyone looking to validate javascript.
a source to share
POST requests are also displayed in the HTTP HTTP header. Post sends data in the same way as GET, but the only difference is that the variables are passed in the URL itself in the GET, but in the POST they are added to the HTTP header.
To increase security, use encryption in JS (password only or token + password). But this can still be hacked using rainbow tables like MD5 or any other hashing technology.
SSL is the only way to achieve high security.
a source to share