Solved

How to hide the password and username not to be revealed in post data in asp.net?

Posted on 2016-07-20
8
42 Views
Last Modified: 2016-08-04
Hi, from our login page, when user logins, the post data, reveals the user name and password as follows:

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=....&ctl00%24MainBody%24Login1%24UserName=xxxx&ctl00%24MainBody%24Login1%24Password=yyyyy&ctl00%24MainBody%24Login1%24LoginButton=Log+In

Open in new window


Could someone throw some light on how to fix this. This security issue we wanted to fix in our site.  Thanks.
0
Comment
Question by:Valliappan AN
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721120
Use Session("UserName") and Session("Password"), or make them less descript.
Session("xxxx") is a user session based variable.

you may need to change your posting method from Post to Get.

also, if you did not want to use the session var's, by changing it to GET, you can call the variables that were filled in the form.

an example of using get can be found here, http://www.w3schools.com/asp/asp_inputforms.asp
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721131
Making it to Get, will make it visible in querystring. We do not want it either way to be visible to avoid any man-in-the-middle-attack.

If i understood what you suggest, How do we set session variable from login textbox, from client side?

Note: Also the site is already https, so the communication should be secure i think.  But in browser when we view postdata, it reveals the password and user name.

thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721140
what is your button click code for login?
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721167
Sorry, we use login control.

And the OnAuthenticate code goes like this:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        {
            e.Authenticated = ValidateUser(Login1.UserName, Login1.Password);
        }

private bool ValidateUser(string sUser, string sPwd)
        {
              //validate here and return value.
        }

Open in new window

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721458
cool, so it looks like your are using C, and not vb.net, but that's ok

so right before your "Return True;" in the ValidateUser, add in a
Session["UserName"] = sUser; 
Session["Password"] = sPwd; 

Open in new window


https://msdn.microsoft.com/en-us/library/ms178581.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721475
No, we do not want the username or password, but when authenticating itself (before ValidateUser here), in the POST data,

for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On

Login to the page with credentials.

3) click Details to see the POST data.  The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.

Thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721496
what is your login button look like?
something like this?
<asp:Button ID="btnLogin" Runat="server" Text="Login" OnClick="Login_Click"></asp:Button>

Open in new window


Your login page should be something like this,
https://msdn.microsoft.com/en-us/library/xdt4thhy.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-6
0
 
LVL 2

Accepted Solution

by:
JesNoFear earned 500 total points
ID: 41721957
in doing the developer view like you described. If you look in the body of the transaction, you do see the username and password, but this is required. same as using GET.
The reason you see this is because between the web browser session to the server, the username and password need to be passed. otherwise the server would never get what is entered in the browser.

but as far as the URL, it should not be part of URL, which is what i though this topic was originally about, using the POST method.

the only way to make sure it stays secure is to encrypt it with an SSL Cert, which you said you have already done.

aside from that, you could in the code, encrypt the fields and decrypt them on the server side.
something like http://www.saipanyam.net/2010/03/encrypt-query-strings.html

but all you are doing is double encryption, it just depends on how paranoid you are over the login sessions.

one way to safeguard your data is to be sure your SSL Cert has a high level of encryption, 2048 is the bare minimum currently.

Hope this answers your question.

another reference: http://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today is the age of broadband.  More and more people are going this route determined to experience the web and it’s multitude of services as quickly and painlessly as possible. Coupled with the move to broadband, people are experiencing the web via …
In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now