Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Endpoint login exposes user credentials via query string

See original GitHub issue

Frontend Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, using docker compose
Docker, single container deploying all components
npm run start
Other (please specify below)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, using docker compose
Docker, single container deploying all components
Other (please specify below)

Detailed Description

Logging into an endpoint (Navigating to /endpoints and selecting “register”) passes the login credentials in the request query string. This could disclose the login credentials to third parties.

Request URL:

/pp/v1/auth/login/cnsi?username=username&password=password&cnsi_guid=MYGUID&connect_type=creds&system_shared=false

Context

This is a security issue that could expose the user’s credentials to third parties.

Possible Implementation

The login credentials used to login to Stratos correctly pass the credentials in the body of the request. Emulating this request would correctly secure the user’s credentials.

Request URL:

/pp/v1/auth/login/uaa

Form data passed:

username: johndoe
password: johndoe

Issue Analytics

State:
Created 5 years ago
Comments:6

Top GitHub Comments

2reactions

brittagcommented, Jul 17, 2019

Hi @richard-cox and @nwmac! My team would encourage reviewing this issue again and planning a place for it in your backlog, as part of good “defense in depth” security practices.

It’s important to use the best practice of not embedding credentials in query strings, even if the system is not designed to actively log and monitor those query strings. This is because something could go wrong in a team’s infrastructure or in another part of the system architecture that enables monitoring by an attacker or getting logged unexpectedly (which then could allow those logs to be reviewed by an attacker).

Strong security practices can help enable use of Stratos in a broader range of environments, including regulated and audited environments. Happy to answer questions or provide more comments if helpful - thank you!

1reaction

richard-coxcommented, Jul 18, 2019

Hi @brittag, thanks for commenting. We’ll look into this in our next sprint (due to start next week)

Top Results From Across the Web

rest - Passing username and password in HTTP GET query ...

Well I basically pass base64 string to the server. My username and password are converted in base64 and then passed in Authorization Header...

Password returned in URL query string - PortSwigger

The application responds to login submissions with a link containing the user's password within the URL query string. Sensitive information within URLs may ......

Information exposure through query strings in url

This allows attackers to obtain sensitive data such as usernames, passwords, tokens (authX), database details, and any other potentially sensitive data.

Can you ever (safely) include credentials in a URL?

Firstly, putting your username and password in plaintext into a URL that ... using random names for resources) or into the query parameters....

Using Query Parameters (AWS Signature Version 4)

Authenticate requests using the query parameters to express a request ... The X-Amz-Credential value in the URL shows the "/" character only ...