For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

KarimBenyelloul's avatar
KarimBenyelloul
Icon for Cirrostratus rankCirrostratus
Sep 11, 2020

DataSafe password encryption ...not really

Hi team,

I just performed a test with datasafe on version 15.1.0.2. I set my login url to "/user_login.php" and the parameters "username" and "password" for the username/password field of my webpage. I asked datasafe to encrypt and obfuscate both my username and password parameters. then I reloaded my webpage.

I entered "kabe_admin" as username and "kabe_password" as password. Then I opened the browser (firefox80.0.1) console and lunched a small script which displays all the forms fields value:

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { s += f[i].name + ":" + f[i].value + " " + f[i].type +"\n"; } } if (s) console.log("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();

 

I got the following result:

 

Passwords in forms on this page: 
: hidden 
q: text 
:Go! submit 
: hidden 
id:0 select-one 
:Go! submit 
:kabe_admin text 08be7f2d16081800e5fbe4edc855463d5cc54fb3a397ca49d50c3cfe8264b225:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4ed1414f7bfc7c4af165db6e2b448dcddee856cef14d376fd0a0f93356891cea6ce48ab7fa20410 hidden 
:kabe_password password 08be7f2d16081800e3908b0fe720a0fa78171259b4b5ff7e142021740647c372:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4eda4b79a1d9a94b53f4fe4e37fefa20dc2709bfed517f1710e8a30f48bd6b045e84cadff3b1ac7048d9f hidden 
: submit 
action:login hidden

 

As you can see in the output, I was able to get a clear version of the password ! ok the field name doesn't appear in front of "kabe_password" but nonetheless it is of type "password" and after all the password is visible with this simple JS code !

If I can do it, I think that a Malware will more than able to do the same , right ? isn't it the goal of Datasafe to prevent malware from stealing information like this ? Is this a huge bug ? or am I missing something ?

 

PS: This is lab environment and I can share my config if needed. although this can easily be reproduced.

many thanks,

karim

 

 

ASM Advanced WAF
security
WebSafe

3 Replies

  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Sep 15, 2020

    Did you follow the link here to first confirm the encrypt/obfuscate features are indeed functioning? It seems as if they aren't, possibly due to a misconfiguration or bug.

  • LB's avatar
    LB
    Icon for Cirrus rankCirrus
    Sep 15, 2020

    Are you sure you have the correct parameter names?

  • KarimBenyelloul's avatar
    KarimBenyelloul
    Icon for Cirrostratus rankCirrostratus
    Sep 28, 2020

    You can find bellow my config :

    0691T000009ifnOQAQ.jpg

    very simple, with no special customization except the added login url (/user_login.php) and the username/password parameters.

     I'm sure that I am using the correcte parameter names, because they are encrypted/obfuscated when they leave the browser.

     

    I've been told that this profile doesn't protect from "malware in the browser" and that is what my little JS script mimics . is it possible that it's the answer ? or am I hitting a bug here ?  

    If anyone else can make the same very quick test and ensure that the JS script above displays the parameter values it would be very nice ,

    many thanks,

    karim