locked
username and password - seen in visible text - fiddler RRS feed

  • Question

  • User2048898515 posted

    Hi Team,

    In our web app (MVC4 app), though it is https , During login we can see the username and password which is seen in visible text in fiddler. How to fix it.

    Attached the screenshot.

    https://ibb.co/fQjkNNC

    Saturday, April 6, 2019 5:04 PM

Answers

  • User-134105967 posted

    Hi nambir,

       This is client side hashing of sensitive data which happens in the browser. You can write javascript code to hash the password before it actually sends it to the server. Salted hash will be more secure. You will be matching this hashed password at server side after applying the same hashing on the stored password in the database.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 8, 2019 9:09 AM
  • User475983607 posted

    In the fiddler password comes as encrypted.  Do you have any clue on what they would have implemented.

    A JavaScript application running in the browser.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 8, 2019 10:31 AM

All replies

  • User475983607 posted

    Hi Team,

    In our web app (MVC4 app), though it is https , During login we can see the username and password which is seen in visible text in fiddler. How to fix it.

    Attached the screenshot.

    https://ibb.co/fQjkNNC

    Correct and expected if you clicked OK when Fiddler prompted you regarding decrypting HTTPS traffic.

    Please see Fiddler support.

    https://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/DecryptHTTPS

    Saturday, April 6, 2019 5:16 PM
  • User2048898515 posted

    Hi mgebhard,

    Thanks for the response.  which part of the MVC4 application corresponds to  "OnBeforeRequest" function so i can add that code.

    if (oSession.HTTPMethodIs("CONNECT") && oSession["X-PROCESSINFO"] && oSession["X-PROCESSINFO"].StartsWith("outlook")) 
        { 
            oSession["x-no-decrypt"] = "boring process";
        }    

    Will this code block fiddler or any other sniffing tool?

    Sunday, April 7, 2019 4:44 PM
  • User475983607 posted

    Hi mgebhard,

    Thanks for the response.  which part of the MVC4 application corresponds to  "OnBeforeRequest" function so i can add that code.

    if (oSession.HTTPMethodIs("CONNECT") && oSession["X-PROCESSINFO"] && oSession["X-PROCESSINFO"].StartsWith("outlook")) 
        { 
            oSession["x-no-decrypt"] = "boring process";
        }    

    SSL is NOT point to point encryption.   Middleware hardware like a proxy, Fiddler is proxy, decrypt the HTTP message.  This is simply how HTTP/SSL/networking works.   

    Will this code block fiddler or any other sniffing tool?

    Fiddler is in between the browser and the web server.  The browser sends the credentials not MVC. 

    Sunday, April 7, 2019 4:59 PM
  • User2048898515 posted

    Hi mgebhard,

    Thanks again for the quick response.

    Could you please guide me in what will be the fix for it? Because we dont want fiddler or any other sniffing tool can see (peep) this info

    Sunday, April 7, 2019 5:04 PM
  • User475983607 posted

    Could you please guide me in what will be the fix for it? Because we dont want fiddler or any other sniffing tool can see (peep) this info

    There is no MVC solution.  You can uncheck the Decrypt HTTP traffic in Fiddler configuration. 

    This is really a question for your network admin and not an ASP.NET forum.

    Sunday, April 7, 2019 5:10 PM
  • User2048898515 posted

    Hi Mgebhard,

    Thanks again for the response.

    I have used fiddler to see one of the banking website. When i enter the password and click submit i noticed that the number of characters in the password is doubled.

    In the fiddler password comes as encrypted.  Do you have any clue on what they would have implemented.

    AuthenticationFG.ACCESS_CODE stores the Password.

    https://ibb.co/Br8fGb0

    https://ibb.co/2kYL40s

    Monday, April 8, 2019 7:32 AM
  • User-134105967 posted

    Hi nambir,

       This is client side hashing of sensitive data which happens in the browser. You can write javascript code to hash the password before it actually sends it to the server. Salted hash will be more secure. You will be matching this hashed password at server side after applying the same hashing on the stored password in the database.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 8, 2019 9:09 AM
  • User475983607 posted

    In the fiddler password comes as encrypted.  Do you have any clue on what they would have implemented.

    A JavaScript application running in the browser.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, April 8, 2019 10:31 AM