[CLOSED] submitDirectEventConfig exposing username and password in developer tools

  1. #1

    [CLOSED] submitDirectEventConfig exposing username and password in developer tools

    Hello,

    I have a login window that contains Ext.net textfields username and password and a submit button. when clicking submit button it is appeared in the developer tools the submitDirectEventConfig and the username and password are exposed to any user that opens the developer tools submitDirectEventConfig:{"config":{"extraParams":{ "username":"splvrd","password":"1234","Language":" ar"}}}.
    in Addiion to that, these two textfields are exposed also in the FormData section in the developer tools under _EVENTARGUMENT section.

    __EVENTARGUMENT:-|public|VerifyLogin
    txtUsername:splvrd
    txtPassword:1234
    LanguageRadioGroup:ar

    How to encrypt or not expose these data. please check screenshots attached.

    thank you.
    Attached Thumbnails Click image for larger version. 

Name:	Capture.PNG 
Views:	50 
Size:	58.8 KB 
ID:	25003   Click image for larger version. 

Name:	Capture2.PNG 
Views:	37 
Size:	5.4 KB 
ID:	25004  
    Last edited by fabricio.murta; Jul 14, 2017 at 4:21 PM. Reason: no feedback from the user in 7+ days
  2. #2
    Hello @Geovision!

    I'm afraid encrypting forms and security backend concepts goes beyond Ext.NET scope. If you make a textfield, even if it contains a password, it will be transferred as-is. It would be up to the developer to work on ways to obfuscate passwords for submission, as well as keeping secure session tokens to keep the user logged in.

    You'd probably can bind a function before submit that would obfuscate the password field being submitted to the server, then server-side, you convert it back.

    How exactly would be a simplified version of your submit form? Maybe we can better understand it and suggest you a way to tamper in the fields submission so that they do not go 'wide open' thru. But I believe a google search on how to make secure password submission forms would yield more results (I may be wrong or misunderstanding your inquiry though).

    I hope this helps!
    Fabrício Murta
    Developer & Support Expert
  3. #3
    This is how HTML/HTTP works. Make a .html only sample (no Ext.NET) with username and password fields. The field values are submitted to the server in clear text.

    If you want to provide some level of security, please use HTTPS.

    Fabricio's suggestion to client-side obfuscate the values might help too, but they will only obfuscate the values, not securely encrypt. At least you shouldn't count on them securely encrypting the values.

    You should use HTTPS.

Similar Threads

  1. [CLOSED] Password fields TextField saves the password
    By ucaneto in forum 2.x Legacy Premium Help
    Replies: 1
    Last Post: Oct 29, 2014, 3:38 PM
  2. Change Username
    By yash.kapoor in forum 2.x Help
    Replies: 2
    Last Post: Oct 26, 2012, 7:20 AM
  3. Implement a Password Meter to a Password Field
    By sudantha in forum 1.x Help
    Replies: 1
    Last Post: Jan 15, 2012, 6:59 AM
  4. [CLOSED] when v2 Developer Preview?
    By lonely7345 in forum 1.x Legacy Premium Help
    Replies: 14
    Last Post: Jan 10, 2012, 5:50 AM

Posting Permissions