Solved

How to hide the password and username not to be revealed in post data in asp.net?

Posted on 2016-07-20
8
40 Views
Last Modified: 2016-08-04
Hi, from our login page, when user logins, the post data, reveals the user name and password as follows:

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=....&ctl00%24MainBody%24Login1%24UserName=xxxx&ctl00%24MainBody%24Login1%24Password=yyyyy&ctl00%24MainBody%24Login1%24LoginButton=Log+In

Open in new window


Could someone throw some light on how to fix this. This security issue we wanted to fix in our site.  Thanks.
0
Comment
Question by:Valliappan AN
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721120
Use Session("UserName") and Session("Password"), or make them less descript.
Session("xxxx") is a user session based variable.

you may need to change your posting method from Post to Get.

also, if you did not want to use the session var's, by changing it to GET, you can call the variables that were filled in the form.

an example of using get can be found here, http://www.w3schools.com/asp/asp_inputforms.asp
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721131
Making it to Get, will make it visible in querystring. We do not want it either way to be visible to avoid any man-in-the-middle-attack.

If i understood what you suggest, How do we set session variable from login textbox, from client side?

Note: Also the site is already https, so the communication should be secure i think.  But in browser when we view postdata, it reveals the password and user name.

thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721140
what is your button click code for login?
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721167
Sorry, we use login control.

And the OnAuthenticate code goes like this:

protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
        {
            e.Authenticated = ValidateUser(Login1.UserName, Login1.Password);
        }

private bool ValidateUser(string sUser, string sPwd)
        {
              //validate here and return value.
        }

Open in new window

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721458
cool, so it looks like your are using C, and not vb.net, but that's ok

so right before your "Return True;" in the ValidateUser, add in a
Session["UserName"] = sUser; 
Session["Password"] = sPwd; 

Open in new window


https://msdn.microsoft.com/en-us/library/ms178581.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1
0
 
LVL 9

Author Comment

by:Valliappan AN
ID: 41721475
No, we do not want the username or password, but when authenticating itself (before ValidateUser here), in the POST data,

for example in Internet Explorer - F12 - 'Developer Tools',
1) click on Network tab
2) click green arrow - On

Login to the page with credentials.

3) click Details to see the POST data.  The user is able to see the username and password in POST data. This reported SQL Injection vulnerability.

Thanks.
0
 
LVL 2

Expert Comment

by:JesNoFear
ID: 41721496
what is your login button look like?
something like this?
<asp:Button ID="btnLogin" Runat="server" Text="Login" OnClick="Login_Click"></asp:Button>

Open in new window


Your login page should be something like this,
https://msdn.microsoft.com/en-us/library/xdt4thhy.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-6
0
 
LVL 2

Accepted Solution

by:
JesNoFear earned 500 total points
ID: 41721957
in doing the developer view like you described. If you look in the body of the transaction, you do see the username and password, but this is required. same as using GET.
The reason you see this is because between the web browser session to the server, the username and password need to be passed. otherwise the server would never get what is entered in the browser.

but as far as the URL, it should not be part of URL, which is what i though this topic was originally about, using the POST method.

the only way to make sure it stays secure is to encrypt it with an SSL Cert, which you said you have already done.

aside from that, you could in the code, encrypt the fields and decrypt them on the server side.
something like http://www.saipanyam.net/2010/03/encrypt-query-strings.html

but all you are doing is double encryption, it just depends on how paranoid you are over the login sessions.

one way to safeguard your data is to be sure your SSL Cert has a high level of encryption, 2048 is the bare minimum currently.

Hope this answers your question.

another reference: http://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now