13

I have an invite form on a web application I am working on. This invite form requires the user to select an email account and then enter a username and a password. These details are sent as POST variables via an ajax request using jQuery. The problem is that I can see the entered password (as well as other POST variables) in plain text using mozilla plugin FireBug.

I believe being able to see the password in plain text (in Firebug) is not ideal. Is there anyway I can prevent this? I tried making the ajax call FROM a page served over HTTPS and made the request over HTTPS as well but I can still see all the POST variables in plain text in Firebug.

Is there some way I could encrypt these variables client-side and then decrypt them on the server-side? Or is there some other solution?

davidadamojr
  • 131
  • 1
  • 1
  • 4
  • 1
    a page served via HTTPS should generally yield a fairly save form of communication between the client and the server. The fact that you can see the clear text password is normal. You seeing the password that YOU entered in the form via Firebug does not mean others will be able to see OTHER people's password using the same tool. – Simon H Mar 16 '11 at 14:57
  • Firebug will still show you the request and its contents even when it is sent via HTTPS. This is because it is plugged into the browser and not via the network. If you take a tcpdump of the connection, you should see that the post'ed data has been encrypted to prevent other parties from viewing it. – a'r Mar 16 '11 at 14:59

6 Answers6

15

If you're using HTTPS, there's no need to worry (as long as HTTPS is properly setup, but this isn't relevant to this question).

You can see the values in Firebug because Firebug can see the headers sent by your browser, but no one except the browser can read these data.

Actually, you can't hide the value from Firebug, because the browser has to know what to send and Firebug can access everything your browser can.

krtek
  • 26,334
  • 5
  • 56
  • 84
3

You will always be able to see all of your variables in Firebug. It only means that anyone would only see his own password if he uses Firebug so it is not a vulnerability.

Don't reinvent the TLS/SSL. Just use HTTPS and it will do just that: encrypt these variables client-side and then decrypt them on the server-side.

Zed
  • 3,387
  • 19
  • 14
1

May be this page will help: http://www.jcryption.org

This library allow to encrypt the data & send using ajax get/post, as variables are encrypted, it very hard to guess the data.

Library use public/private key concept with openssl.

I hope this will be helpful for someone

bhushya
  • 1,317
  • 1
  • 19
  • 33
1

You are using Firebug at client side for testing and if you are using HTTPS to send post data so that will be in encrypted form while sending to the server so you don't have to worry there isn't possibility of middle-man sniffing attack to retrive the password in plain text if you are using HTTPS.

You can see the password field in firebug because its on client side browser and all the data are visible to you as a developer.

Vishwanath Dalvi
  • 35,388
  • 41
  • 123
  • 155
0

Your variables are encrypted for a tool or software which behaves like as man-in-the-middle. Your browser or browser plugin like firebug or google chromes network request and response monitoring panel doesn't behaves as man-in-the-middle. Rather they are valid client who has the key to decrypt response from server or encrypt the data before sending to server.

If you wish to test whether your data are encrypted or not you can use a tool like fiddler or charles as web debugging proxy. Through these tools you can easily see the data going to the https server and response from the server is encrypted.

Mushfiqur Rahman
  • 306
  • 4
  • 18
0

I prefer using jsencrypt :

You can Encrypt all input fields & post data before send Ajax using public key. Then Decrypt it server-side with private key.

Note:To improve security it's better to sign(using jsencrypt) the Hashed content(using ex:cryptojs) to achieve Better security.

Hope to be helpful,

Behnam Alavi
  • 127
  • 1
  • 4