Forum Discussion

Karim's avatar
Karim
Icon for Cirrostratus rankCirrostratus
Sep 11, 2020

DataSafe password encryption ...not really

Hi team,

I just performed a test with datasafe on version 15.1.0.2. I set my login url to "/user_login.php" and the parameters "username" and "password" for the username/password field of my webpage. I asked datasafe to encrypt and obfuscate both my username and password parameters. then I reloaded my webpage.

I entered "kabe_admin" as username and "kabe_password" as password. Then I opened the browser (firefox80.0.1) console and lunched a small script which displays all the forms fields value:

javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { s += f[i].name + ":" + f[i].value + " " + f[i].type +"\n"; } } if (s) console.log("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();

 

I got the following result:

 

Passwords in forms on this page: 
: hidden 
q: text 
:Go! submit 
: hidden 
id:0 select-one 
:Go! submit 
:kabe_admin text 08be7f2d16081800e5fbe4edc855463d5cc54fb3a397ca49d50c3cfe8264b225:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4ed1414f7bfc7c4af165db6e2b448dcddee856cef14d376fd0a0f93356891cea6ce48ab7fa20410 hidden 
:kabe_password password 08be7f2d16081800e3908b0fe720a0fa78171259b4b5ff7e142021740647c372:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4eda4b79a1d9a94b53f4fe4e37fefa20dc2709bfed517f1710e8a30f48bd6b045e84cadff3b1ac7048d9f hidden 
: submit 
action:login hidden

 

As you can see in the output, I was able to get a clear version of the password ! ok the field name doesn't appear in front of "kabe_password" but nonetheless it is of type "password" and after all the password is visible with this simple JS code !

If I can do it, I think that a Malware will more than able to do the same , right ? isn't it the goal of Datasafe to prevent malware from stealing information like this ? Is this a huge bug ? or am I missing something ?

 

PS: This is lab environment and I can share my config if needed. although this can easily be reproduced.

many thanks,

karim

 

 

ASM Advanced WAF
security
WebSafe
  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Sep 15, 2020

    Did you follow the link here to first confirm the encrypt/obfuscate features are indeed functioning? It seems as if they aren't, possibly due to a misconfiguration or bug.

  • LB's avatar
    LB
    Icon for Cirrus rankCirrus
    Sep 15, 2020

    Are you sure you have the correct parameter names?

  • Karim's avatar
    Karim
    Icon for Cirrostratus rankCirrostratus
    Sep 28, 2020

    You can find bellow my config :

    0691T000009ifnOQAQ.jpg

    very simple, with no special customization except the added login url (/user_login.php) and the username/password parameters.

     I'm sure that I am using the correcte parameter names, because they are encrypted/obfuscated when they leave the browser.

     

    I've been told that this profile doesn't protect from "malware in the browser" and that is what my little JS script mimics . is it possible that it's the answer ? or am I hitting a bug here ?  

    If anyone else can make the same very quick test and ensure that the JS script above displays the parameter values it would be very nice ,

    many thanks,

    karim