Forum Discussion

Sushant's avatar
Sushant
Icon for Altostratus rankAltostratus
May 05, 2021

Verifying DataSafe is working or not ?

I have attached my datasafe profile with my virtual server but not being able to check its status ? How can we verify Datasafe is working fine ? Inspect with my current web doesn't display anything regarding credentials.

 

 

 

 

 

  • Yes, you will need to specify conditions for validating successful login. If you are using a response code, be careful with either 200 and 302 as an expected code. Very often, 200 is not accurate if the page immediately redirects a user in which case 302 is the expected code. That's a common mistake. If you a using an explicit URL, make sure that case sensitivity is correct--/Login.php and not /login.php. For your user name parameter, make sure you selected the option "Identify as Username" in the URL Configuration section.

  • Have you configured the URLs (perhaps a login page) and parameters (typically username and password) within the profile? Every DataSafe profile requires at least one URL to protect. If you view your application using Developer tools in your browser you should see the obfuscated JavaScript related to the protections you configured. Make sense?

  • hi Erik Thank you replying back ! Yes I have configured the URL(login page) example : /login.php...as per my understanding we do not need to mention the full url as well as I have mentioned the parameters. I am not being able to verify...I have seen some of the videos in youtube and did get the point but cannot find the same details in my specific application.

  • OK, for the parameters you added to the profile, you must have selected "Identify as Username" and/or "Encrypt" and/or "Substitute Value." DataSafe secures Document Object Model objects such as your web forms on the client side. First access your web application using Chrome, but don't log in. Turn on Developer tools, right-click on one the protected form elements, and then select Inspect.

    Then log in to your application. You should see something like document.form [0].username.value but the actual value should be obfuscated. If you see identifiable credentials in any of the fields you are inspecting then you need to configure DataSafe to protect them.

    • Sushant's avatar
      Sushant
      Icon for Altostratus rankAltostratus

      hello Erik..thank you again for replying....I can find the username and password parameter value if I incorrectly type wrong username and password...but cannot find it once I hit the correct username and password ....Should it be encrypted even if I hit wrong username and password ?? ??

  • If you selected encryption for each of these then yes, you should see obfuscated values. Are you using decoy forms? If so, you should be able to see these also.

    • Sushant's avatar
      Sushant
      Icon for Altostratus rankAltostratus

      Hi Erik...lots of tries with no success ...I do not get the Form Data once i enter the correct username and password...but with incorrect username and password Form Data is generated but with not encryption.

       

      ###################URL########################

       

      ########### PARAMETERS ################################# 

      ############APPLICATION LAYER ENCRYPTION ########## 

       

      ############### SSID ############################

       

      Is login page properties mandatory ????

       

       

       

  • Yes, you will need to specify conditions for validating successful login. If you are using a response code, be careful with either 200 and 302 as an expected code. Very often, 200 is not accurate if the page immediately redirects a user in which case 302 is the expected code. That's a common mistake. If you a using an explicit URL, make sure that case sensitivity is correct--/Login.php and not /login.php. For your user name parameter, make sure you selected the option "Identify as Username" in the URL Configuration section.

    • Sushant's avatar
      Sushant
      Icon for Altostratus rankAltostratus

      Erik I am getting error of lower case sensitive as my URL is in upper case letter....any solution for this ?

       

       

  • Yes. By default, DataSafe treats URLs in the URL list as case-sensitive. There is a checkbox for the option in the properties of the URL. By default, the option is not selected, and you should only select it if your app uses case-sensitive URLs. The problem is that you cannot change the settings after the anti-fraud profile is created. So to fix this problem, delete the profile and create a new one. Most likely your app is not case sensitive.