Can see my password in Inspect Element - javascript

I did a simple login page using HTML, Javascript. I validate my username and password using 'CGI'. When I click login button, a script 'login.cgi' been called using 'AJAX'. It is a POST method. Once I logged into my website, I went to Inspect element in firefox and clicked Network tab. I selected my 'login.cgi' under the Network tab. When I select the login.cgi, I can see the information of Headers, Cookies, Params, Response and Timings. I clicked Params field and checked that I can view my username and password in a plain text as parameters of that cgi script. I wish to hide my password field from this Inspect element feature. How can I do this?

If the password on your storage are hashed, and you know what alghoritm is used, you can hash your password with the same hash before to send it with post.
Then you can compare this 2 hash.
But what you have seen, it's a classic network problem, you must use an ssl connection to avoid the other person in the network with some attack can read your credentials.
This is your real problem not that the user who have written his credential can see his credentials in the network debugger tab.

Related

Restrict users from viewing page in PHP

I'm having a problem with the website that I'm making. I'm making a website where users will be able to go and watch a short video, after that they can Sign Up and get a link to verify their emails. The email goes to their inputted email and they have a verification link which leads to another page. That page has a button which leads to a Full Video. Now I want to prevent users from viewing verify page and the page where users see full video before they verify their emails. I'm fairly new to PHP and I tried something, I think it's not that good but I'm still learning.
I wanted to redirect users when they go to localhost/verify.php and allow them to go on the page when the URL is localhost/verify.php?verified=1, that ?verified=1 URL is being sent to their emails.
But whatever I type it redirects index.php
verify.php
if (stripos($_SERVER['REQUEST_URI'], 'verify.php')){
header('Location: index.php');
}
else if (stripos($_SERVER['REQUEST_URI'], 'verify.php?verified=1')){
header('Location: verify.php');
}
Is there any way I can do this better since the users don't have register option and I'm not saving any sessions.
Even if you are not creating users, you can have a table that just represents these email addresses that contains a key, email, verified(bool), verification_token(unique string) then in the controller for the verified route you can check if that verification token exists, mark the user as verified and pass them along to the video. This also allows you to store a that token in a cookie that you could check for anytime they hit that normal endpoint without the query parameter you could still treat them as verified. It's not full on auth, but it sounds like you don't want a full blown authenticatable user for these emails

jQuery Login - What is the best practise for a login?

I'm trying to improve my jQuery skills developing a litte website containing a login system.
I'm looking for the best practise and most secure login system.
So far
I had a login.html having a <form action="login.pl">.
On my login.pl I'm connecting to my database and if the user is valid I print a http-redirect to home.html adding my params (?param1=val1&param2=val2).
Now I took a different way (at least for me a better looking way).
I have a login.html doing an $.ajax request before submit.
The ajax request calls my login.plwhich is returning an json-sting containing a status.
If the json-sting status is success, I return true which results submitting the form <form method="POST" action="home.html">
Now I'm having a few questions:
My form POSTs the password to my home.html.
I believe I have to replace the password value and add some kind of session value to the form to be able to check later if the user session is valid or not. Do I?
How is this done on a professional security level?
I can't access the form data in my home.html as long as I use POST. I try to avoid using GET because professional websites don't have those ugly urls.
How am I supposed to transport username + session id? Do I have to use cookies here?
I didn't really worked with cookies so far, but since user can read cookies, I still won't add any real passwords here and replace password with a session id.
For my understandings: These security requirements won't change even with https. HTTPS provides a secure connection but I still won't save or store any real passwords anywhere on the client.

Non-persistent XSS - Meaning of '== in the URL

I'm trying to understand non-persistent XSS attack. I learnt that one of the non-persistent XSS form is adding executable along with js in the URL like below
http://www.myxsssite.com/default.aspx?requesturl=<script>alert(hello)</script>
I'm on IIS and if I try the above example, IIS itself throws-up exception saying "A potentially dangerous Request.Path value was detected from the client (<)."
But when I try the below URL I get to see an alert dialog with whatever I've added in that
http://www.myxsssite.com/default.aspx?requesturl=docs/help-files/main.htm'==alert(hello)=='
The second case occurs when an unauthenticated user tries to access the help files directly wherein the above URL gets constructed followed by redirecting to Login page. Once logged in the requesturl param will be used to redirect back to where the user started.
If the same process is replayed with a tab already having valid session it won't show the alert dialog.
The question I've here is what is the significance of '== ==', without which I don't see alert dialog
EDIT:
While redirecting to Login page this is the Response body
<html><head><script>window.top.location='http://www.myxsssite.com/default.aspx?requesturl=docs/help-files/main.htm'==alert(hello)=='';</script></head><body></body></html>
The key thing I've noticed is, If I take the URL from the response and paste it in the Browser it does not shows the alert dialog.
Now it boils down to why the alert in the URL gets fired when location is set through Javascript and why not when copied directly into the browser.

Getting email headers from within an HTML email for tracking purpose

Posting question in StackExchange for first time. Apologies if this has issues...
Need to track email open.
This is something not very new and the approach generally used is to have a pixel in the HTML which calls a server URL asynchronously. By using this we get the number of opens for an email.
Now the issue is the email is send to a Distribution List (DL) and we have a requirement to track email open and also clearly state who has opened it..
Basically when a hit to server comes, it should says xxxx#mail.com has opened this email.
In my HTML if i have a way by whcih to capture the email headers, my requirement would be sorted... I would use Javascript to get the email headers and then when i call the server URL i will send across the details...
When i searched i found a POST which was doing something similar...
Read email headers in Outlook Web Access (OWA)
But this was for office application...
Also, i am not sure whether this would even work...
Any pointers is well appreciated....
I am specifically at the moment looking for exchange server...
In my HTML if i have a way by whcih to capture the email headers
You don't.
I would use Javascript to get the email headers
You can't run JavaScript in an HTML formatted email
The only identifying information you can get back from the email is the information you put it in it in the first place.
You can put a unique ID in a tracking pixel (increasing the chances of it being marked as spam) but that ID will be given to anyone who gets a copy of the email (including if it is forwarded automatically by a mailing list or manually by a reader). The tracking will also fire only if the image is loaded from the server (plenty of people keep email image loading turned off).
There is no way to find out who your email actually ended up with.

How to get the browser to save the password even though it's not sending it to server

The situation :
For security reasons, I never send the clear password to my server.
It is sha1ed client side and only the hash is sent to the server.
edit : This is only part of my security (I use also SSL, serverside hash, synchronised salts, ...) Please dont make it a thread about security
To do that, I have 2 inputs, first one one is visible and named "password" and another one is hidden named "sha1password".
When the user click the "login" button, a JS code sha1s the "input#password", put it into "input#sha1passord" and empties the "input#password" before sending a POST to the server.
This last step is to prevent the browser from saving the sha1 password. Because if you do that, the form will be filled with a 50 caracters password and the user would be annoyed.
The problem :
This works well but the browser dont save the passord as "input#password" is empty when sending the POST. Is there a way to allow the browser to save the password without sending it to the server ?
Things to remember
Chrome dont save password if there is many password input
Chrome check for many passwords is called after the page is loaded (even after jquery $(function(){}) initialisation )
To add another password input, just user a setTimeout function after 100 ms
My solution
Hi, I finally found how browsers works.
They don't like forms with many input type=password.
I renamed #sha1password to #password. In the first HTML page, there must me no other password input so I only echo the #password input ! This way, after loading the page, the browser sees a simple login form and enables the autocomplete feature (except IE but this one is stupid and I dont care with it... How microsoft people can always develop different softwares ?).
After page initialisation + 100ms timeout, I add a new input type=password called #clearPassword. I then copy the autocompleted value which is in the #password input. Then I hide the #password input using a width+height to 0px (display none make it unsent to the server).
When the user types a password in the #clearPassword input, I empty the #password input box. This will make the new typed password hashed, other wise #clearPassword stays with a hashed value.
When the user clicks LOGIN, only if the #password box is empty I sha1 the #clearPassword input and out the value in #clearPassword. If the #password is not empty, it is the autocompleted hashed value, this is OK.
And most important thing, before sending the form to the server, I detach the $clearPassword to prevent chrome from sending it to the server.
And you're done ;) chrome stores only a hash of the clear password

Categories

Resources