asp.net mobile :: HTTP request :: password exposed RRS feed

  • Question

  • User1825469510 posted
    Hi guys & gals, I made a login.aspx page in order to manage security. I use OPENWAVE to emulate the mobile app behaviour. In the OPENWAVE Simulator console, in one of the many HTTP requests, I see this: ...blah blah blah <HTTP-raw> ******************************** HTTP Request ******************************** <HTTP-raw> Lenght: 77 <HTTP-raw> Socket: 1 <HTTP-raw> Host address: xx.xxx.xxx.xxx <HTTP-raw> URI: http://webserver/sgiavisos/(uhvcob451a1udhvhklex4ea4)/login.aspx <HTTP-raw> ****************************************************************************** <HTTP-raw> __EVENTTARGET=cmdIniciarSesion&__EVENTARGUMENT=&txtUsuario=X1&txtClave=12345 ...blah blah blah We can identify the following components of the EVENTTARGET and EVENTARGUMENT: "cmdIniciarSesion" is the command button which I click to send the data to the webserver. "txtUsuario" is the textbox where I enter the userID. "txtClave" is the textbox where I enter the password. Value WITHOUT ENCRYPTING=12345 As you can see, the password is exposed in the HTTP request, which (in my understanding) is a security flaw. Anybody got some workaround for this issue? Thanx in advance
    Tuesday, October 9, 2007 6:31 PM


All replies