Password exposure through query strings in url

Question

Password exposure through query strings in url

Opened this issue a year ago · 2 comments

viccctor commented a year ago

The issue tracker is ONLY used for bug report and feature request.

Any question or RocketMQ proposal please use our mailing lists.

BUG REPORT

Please describe the issue you observed:

What did you do (The steps to reproduce)?

make a login to dashboard

What did you expect to see?

login credentials in POST body

What did you see instead?

login credentials in POST param

Please tell us about your environment:

Latest version

Other information (e.g. detailed explanation, logs, related issues, suggestions how to fix, etc):

In nginx access log, we can see POST /login/login.do?password=12312112&username=admin

Information exposure through query strings in URL is when sensitive data is passed to parameters in the URL. This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data. Simply using HTTPS does not resolve this vulnerability.

Answer 1 · 2023-03-22T07:44:47.000Z

@viccctor @Oliverwqcwrw should I work on this ?
Approach :-

we can use Request Body instead of request param.
if we further wan't to improve security we can implement JWT based authentication using public and private key for encryption/decryption.

@Oliverwqcwrw What is your take on this ? I will be continue to find approach what else we can do.

Answer 2 · 2023-03-22T13:17:58.000Z

IMO, the appropriate authentication and authorization mechanism should be selected according to the usage scenarios.

dashboard may be used more by internal teams rather than complicated authentication algorithms.

Of course, we can also provide a variety of authentication methods for users to choose from, like the JWT you mentioned.