Don't send Login and password in plain text within the url to web service?

Post Reply
automation
Member
Posts: 40
Joined: Tue Jan 15, 2019 10:19 pm

Don't send Login and password in plain text within the url to web service?

Post by automation »

I'am using the code below to connect to a web service and then download content. They say I'am sending Login and password in plain text within the url to web service. How can I solve to not send in plain text?

The url is https.

Code: Select all

	
	//Some vars defined first
	var apiUrl = s.getPropertyValue('apiUrl');
	var apiUser = s.getPropertyValue('apiUser');
	var apiPass = s.getPropertyValue('apiPass');
	var anyOrders = "";
	
	var theHTTP = new HTTP();
	theHTTP.resetParameters();
	theHTTP.url = apiUrl + "/wsauth?";
	theHTTP.addParameter("username", apiUser);
	theHTTP.addParameter("password", apiPass);
	theHTTP.authScheme = HTTP.BasicAuth;
	theHTTP.post();

	while( !theHTTP.waitForFinished( 1 ) ) { }
	job.log(-1, "Server response: " + theHTTP.getServerResponse().toString("UTF-8"));
	

	if( theHTTP.finishedStatus != HTTP.Ok )
	{
		job.fail("The request failed: %1", theHTTP.lastError);
		return;
	}

	var theCookie = theHTTP.getHeaderValue( HTTP.SetCookie ).toString( "UTF-8" );
	if( theCookie.isEmpty() )
	{
		job.fail("Invalid cookie response: %1", theHTTP.lastError);
		return;
	}

	s.log(-1, "Cookie: " + theCookie);

	//Perform query to get xml file	
	theHTTP.addHeader( HTTP.Cookie, theCookie );
	theHTTP.url = apiUrl + "/order/latest";
	theHTTP.localFilePath = job.createPathWithName("latest.xml", false); 
	
	job.log(1,theHTTP.localFilePath, false);
  	theHTTP.get(); 
	
  	job.log( 4, "Download started", 100 );
  	while( !theHTTP.waitForFinished( 3 ) ) {
    	job.log( 5, "Downloading...", theHTTP.progress() );
  	}
  	job.log( 6, "Download finished" );
	
They can see in the log (MY_USERNAME and MY_PASSWORD is replacement for my real login, but they can see my real login): /order/latest?username=MY_USERNAME&password=MY_PASSWORD
Padawan
Advanced member
Posts: 363
Joined: Mon Jun 12, 2017 8:48 pm
Location: Belgium
Contact:

Re: Don't send Login and password in plain text within the url to web service?

Post by Padawan »

Can you replace

Code: Select all

	theHTTP.addParameter("username", apiUser);
	theHTTP.addParameter("password", apiPass);
with

Code: Select all

	theHTTP.user  = apiUser;
	theHTTP.password = apiPass;
This is the way to define username and password when using Basic Authentication, which you have configured.
automation
Member
Posts: 40
Joined: Tue Jan 15, 2019 10:19 pm

Re: Don't send Login and password in plain text within the url to web service?

Post by automation »

Does it matter if I use "Basic Authentication" or other authScheme?
Padawan
Advanced member
Posts: 363
Joined: Mon Jun 12, 2017 8:48 pm
Location: Belgium
Contact:

Re: Don't send Login and password in plain text within the url to web service?

Post by Padawan »

From the documentation of the http class:
user : String
This property contains a user name if authentication is to be used.

If authScheme is set to HTTP Basic Authentication, the user and password are Base64 encoded, and the result in the form "Basic [encoded-user-password]" is used for authorization.

If authScheme is set to HTTP Digest Authentication, the user and password properties are used to respond to the HTTP Digest Authentication challenge from the server.

If authScheme is set to NTLM, NTLM authentication will be attempted.
So it is used for Basic Authentication, HTTP Digest and NTLM.
freddyp
Advanced member
Posts: 1077
Joined: Thu Feb 09, 2012 3:53 pm

Re: Don't send Login and password in plain text within the url to web service?

Post by freddyp »

Does it matter what authentication method you use? Of course it does! It is the server that determines what method you have to use.

The method you described first (credentials specified as parameters) is actually used by some web services (not very often though), so at first sight it was not impossible. In such a case it is highly recommended to use HTTPS only, because everything after the ? in the URL is encrypted when using HTTPS.

When you specify

Code: Select all

theHTTP.enableMime = true
then the parameters are not added to the URL, but they are put in a MIME in the body of the mail. This does not expose the credentials on the URL but anybody intercepting the body can still read it. Unless you are using HTTPS of course, in which the body is encrypted.

All of the above is irrelevant when the web service does not read the credentials from the parameters of the POST request. Also Padawan's suggestion to use the basic authentication method might work, and then again, it might not.

What does the server expect is the first question to ask. The rest follows from the answer to that question.
automation
Member
Posts: 40
Joined: Tue Jan 15, 2019 10:19 pm

Re: Don't send Login and password in plain text within the url to web service?

Post by automation »

The web service expect me to use POST but when I change to this I get an error

Code: Select all

theHTTP.url = apiUrl + "/order/latest";
theHTTP.localFilePath = job.createPathWithName("latest.xml", false); 
	
job.log(1,theHTTP.localFilePath, false);
theHTTP.post()
The log don't display the password in the first call (when I use post) but in the second call when I use get (/order/latest)

The log:

Code: Select all

"POST /tomasot/wsauth? HTTP/1.1" 200 4 "-" "IPWorks HTTP Component"
"GET /tomasot/order/latest?username=REAL_USERNAME&password=REAL_PASSWORD HTTP/1.1" 200 4199 "-" "IPWorks HTTP Component
freddyp
Advanced member
Posts: 1077
Joined: Thu Feb 09, 2012 3:53 pm

Re: Don't send Login and password in plain text within the url to web service?

Post by freddyp »

When using GET, parameters are passed as part of the URL. That is how it works. Perhaps this page clarifies a few things:
https://www.plus2net.com/php_tutorial/variables2.php
Post Reply