Hello Chris,
thanks for the detailed information appreciate it.
chriii...@gmail.com schrieb am Donnerstag, 24. November 2022 um 03:24:06
UTC+7:
> Hello.
>
> TLS is enough to encrypt and secure the connection, the whole point of
> HTTPS protocol is to make a clear text channel secure.
>
> If someone is sniffing your HTTPS connection, will be not able to read the
> traffic, except if the attacker performs a Man In the Middle and replace
> the TLS certificate like burpsuite do, but if something like that happens,
> there is no point to hash the username and password because capturing the
> cookie session will be enough to enter the application, or even reutilizing
> the transmitted hash.
>
> I'm not aware of any mechanism in web2py to hash the username/password.
> Maybe you can achieve this by adding some javascript code that hash these
> values when click on submit, and probably you will have to modify an
> internal component in web2py to make the auth validation able to read your
> hashed data.
>
> I've been working in the world of cyber security for a lot of years
> and most of the times when someone point this like a vulnerability is
> because probably he doesn't understand really well the materia and make an
> alarm for something that is already protected. In this case HTTPS is
> enough. If your cyber security officer is saying that the app is not
> protected even using HTTPS and gives you examples with burpsuite, is clear
> that he/she does not understand why burpsuite is able to decrypt data (due
> their own certificate) and will think that everything is unencrypted.
>
> I've some banks that like to hash the transmitted data even with the
> HTTPS protection. But again... this is not really secure because hashing
> data before sending, would need to be performed in the browser via
> javascript and if the hash process happens in the client side, you can see
> how encryption is made and reverse it . Even if javascript functions are
> obfuscated, you just have to put some breakpoints on the javascript console
> (browser console) and catch events until you find where the hashing process
> is made, and perform a reverse of that function.
>
>
> Cheers.
> Chris,
>
> El mié, 23 nov 2022 a las 15:59, Arglanir () escribió:
>
>> Hello,
>> It is a big question, and does not concern only web2py. You can find
>> people asking the same general question in StackOverflow. And the aswers
>> are generic : The most important is the TLS communication.
>>
>> https://security.stackexchange.com/questions/110415/is-it-ok-to-send-plain-text-password-over-https
>>
>> (and see linked duplicate questions)
>> Do you know any website that does hash the password client-side ?
>> Arglanir
>>
>>
>> Le mardi 22 novembre 2022 à 01:20:06 UTC+1, silvia...@gmail.com a écrit :
>>
>>> Thank you, but do you have any suggestions what to do cause our
>>> cybersecurity officer keeps complaining about that wo I need change some
>>> settings in web2py or do you have an idea how I can sort it out ?
>>>
>>> Kind regards
>>>
>>> Am Di., 22. Nov. 2022 um 02:23 Uhr schrieb Christian Varas <
>>> chriii...@gmail.com>:
>>>
Hi,
It's OK, it's the way it works, If you put s local proxy like burp and
then you go and capture traffic, it is ok that you can see clear text data
because burp proxy puts their own certificate between client and backend,
because of that burp proxy can decrypt and show you clear text data. If
you
sniff with a packet capture like wireshark, you will see everything is
encrypted.
Salting your password/username before sending it is not really secure,
because hashing the username/password before sending, would need to be
performed in the browser via javascript and if the hash process happens in
the client side, you can see how encryption is made and reverse it .
Cheers.
Chris.
El lun, 21 nov 2022 a las 5:01, Silvian “Top 10 Answers” Cedru (<
silvia...@gmail.com>) escribió:
> Its weird why does web2py do not salt username and password before
> sending it ?
>
> Silvian Cedru schrieb am Montag, 21. November 2022 um 09:25:05 UTC+7:
>
>> Here is a screenshot after sniffing the network and it is weird since
>> it has HTTPS I thought you could not sniff out the password when someone
>> logs ins so I need to salt or Hash it but I am not sure where I find the
>> file and what to change . Would be awesome if someone could help.
>>
>> Silvian Cedru schrieb am Donnerstag, 17. November 2022 um 11:05:34
>> UTC+7:
>>
>>> Hello everyone ,
>>>
>>> I just found out that when you login in my application my password
>>> gets send in plain text even I thought it gets hashed does someone know
>>> a
>>> solution how to salt or hash the password before sending ?
>>>
>>>
>>> --
> Resources:
> - http://web2py.com
