1

I am making a PROPFIND Ajax request to server using XmlHttpRequest in Firefox. The server is using Basic authentication. I pass credentials to to open method:

xhr.open("PROPFIND", "https://serv/folder/", false, "User1", "password");

Using Fiddler I have discovered that the request looks like the following:

PROPFIND https://User1:password@serv/folder/

As far as I understand it makes no sense to pass login and password in url. I think this is a FireFox bug.

Does it presents any security risk in case I am using SSL?

IT Hit WebDAV
  • 5,652
  • 12
  • 61
  • 98

1 Answers1

0

Yes There is a security risk to send the user name password with url, Even if you are using SSL. Most of the router and get-way ,firwall/server logs the request url, so if User Name and Password appended with url as querystring it can be logged. But if it is possible to send the credential as post data, and using SSL the data are encrypted so it is not visible during transmission.

Pankaj Dey
  • 64
  • 3
  • I believe only domain is visible to firewall, the rest of the url is not. But it is not clear for me if this User1:password part is treated as part of a domain or not. – IT Hit WebDAV Sep 12 '13 at 19:47
  • Ther Request url goes as plain text, so any part of the request url visible. – Pankaj Dey Sep 13 '13 at 05:35
  • The question about server path encryption is clarified here, Pankaj: http://stackoverflow.com/questions/499591/are-https-urls-encrypted. My question is more about particular case when user name and password go as https://User1:password@serv – IT Hit WebDAV Sep 13 '13 at 18:00
  • yes, that is true, but still, the web server can log the url. and that can cause leakage. – Pankaj Dey Oct 30 '13 at 16:58