Reg: how to send encrypt data to server

Hi Guys,

   I have one doubt for security vulnarabilities in web application. If example in login screen, user will provide our own username and password details and trigger the event. Inside server we implement our functionalities. But my doubt is, the data will pass to server through request from client browser. Using any security tools like paros something, while clicking the event from client, use this tool to capture the request details. In request details all the data's are showing plain text (including username & password). So, please let me know, how to handle this situation.

Thanks & Regards
Vijay

HTTPS aka SSL

Hi Guys,

We are testing the logon module using Paros security tool. In this, username and password details are showing in plain text both in HTTP and HTTPS. And also we tested in one more public HTTPS portal using this tool. But all the request details are passing thru plain text to server which will compromise the security. We would like to know how this can be avoided. Please guide me or give any solution for this.

Thanks & Regards
Vijay

Isn’t that the point that your server sees it as plain text? This means that HTTPS have already been encrypted at a transfer point and decrypted on the server side. To see that your code is encrypted test using HTTP sniffer then you’ll know.

Hi,

We captured the request details before reaching server using security tool (Paros) in both HTTP and HTTPS server. Both are showing plain text. So that i confused. Our application is working fine. But in security team will check the data transfer between client browser and server captured the request details.

It showing plain text in both HTTP and HTTPS.

Then it sounds like SSL cert itself. Did you check public encryption for the SSL? usually it’s RSA

Then again, I never heard of SSL that doesn’t encrypt but I could be wrong.

Also, why are you bothering to test w/ HTTP? If you want your site secured, you should set your site to accept only with HTTPS (exception to resources like .jpg, .js, and etc…)

From the Parosproxy.org website (my emphasis):

We wrote a program called “Paros” for people who need to evaluate the security of their web applications. It is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

The product you’re using is MEANT to view ssl traffic. Most likely just like a man in the middle attack.

Use a product like HTTPTea and see if you’re able to see your ssl traffic.