Skip to content

Commit

Permalink
Pass credentials using form post rather then url query parameters in …
Browse files Browse the repository at this point in the history
…backend examples to prevent credentials from getting leaked through browser cache

https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
  • Loading branch information
bravecorvus committed Oct 6, 2021
1 parent d24ce69 commit e76689d
Show file tree
Hide file tree
Showing 6 changed files with 104 additions and 104 deletions.
6 changes: 3 additions & 3 deletions go-server-example/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,19 +55,19 @@ func main() {

r.Get("/favicon.ico", func(w http.ResponseWriter, req *http.Request) { w.Write(faviconBytes) })

r.Get("/login", func(w http.ResponseWriter, req *http.Request) {
r.Post("/login", func(w http.ResponseWriter, req *http.Request) {

ret := make(map[string]interface{})

if req.URL.Query().Get("email") != DEMO_EMAIL {
if req.FormValue("email") != DEMO_EMAIL {
ret["responseCode"] = "UNFD"
ret["message"] = "User not found. Please make sure you entered the right userId and API credentials in config.go"
marshaled, _ := json.Marshal(ret)
w.Write(marshaled)
return
}

if req.URL.Query().Get("password") != DEMO_PASSWORD {
if req.FormValue("password") != DEMO_PASSWORD {
ret["responseCode"] = "INPW"
ret["message"] = "Incorrect Password"
marshaled, _ := json.Marshal(ret)
Expand Down
61 changes: 30 additions & 31 deletions go-server-example/public/js/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,16 @@ function showForTime(elementSelector, timeInSeconds){
}, timeInSeconds + 200);
}

function exampleLoginAPICall(values, callback) {
var bodyString = '?email=' + values.email + '&password=' + values.password;
var http = new XMLHttpRequest();
http.open("GET", "/login" + bodyString, true);
http.send(null);
http.onreadystatechange = function() {
if (http.readyState === 4) {
var response = JSON.parse(http.responseText.trim());
callback(response);
}
}
async function exampleLoginAPICall(values) {
let formData = new FormData()
formData.append('email', values.email);
formData.append('password', values.password);

return await fetch('/login', {method: 'POST', body: formData})
.then(response => response.json())
.then((data) => {
return data;
});
}

function isLivenessEnabled(){
Expand Down Expand Up @@ -291,7 +290,7 @@ window.onload = function(event) {
return passedCheck;
}

document.querySelector('#loginBtn').addEventListener('click', function() {
document.querySelector('#loginBtn').addEventListener('click', async function() {
var em = document.querySelector('input[name="email"]').value;
var pass = document.querySelector('input[name="password"]').value;
var loginCreds = {
Expand All @@ -301,26 +300,26 @@ window.onload = function(event) {

if (validateCredentialsFormat(loginCreds)) {
showLoader(true);
exampleLoginAPICall(loginCreds, function(response) {
if (response.responseCode === "SUCC" && response.token) {
window.loggedIn = true;
window.myVoiceIt.setSecureToken(response.token);
if(window.frontEndInitialized){
showLoader(false);
showElement('#biometricOptions');
}
hideElement('#loginBtn');
hideElement('#formOverlay');
showMessage('Please choose a 2FA verification option below');
} else {
if(window.frontEndInitialized){
showLoader(false);
}
// hideElement('#loginBtn');
// hideElement('#formOverlay');
showMessage(response.message, true);
const response = await exampleLoginAPICall(loginCreds);

if (response.responseCode === "SUCC" && response.token) {
window.loggedIn = true;
window.myVoiceIt.setSecureToken(response.token);
if(window.frontEndInitialized){
showLoader(false);
showElement('#biometricOptions');
}
});
hideElement('#loginBtn');
hideElement('#formOverlay');
showMessage('Please choose a 2FA verification option below');
} else {
if(window.frontEndInitialized){
showLoader(false);
}
// hideElement('#loginBtn');
// hideElement('#formOverlay');
showMessage(response.message, true);
}
}

});
Expand Down
61 changes: 30 additions & 31 deletions node-server-example/public/js/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,16 @@ function showForTime(elementSelector, timeInSeconds){
}, timeInSeconds + 200);
}

function exampleLoginAPICall(values, callback) {
var bodyString = '?email=' + values.email + '&password=' + values.password;
var http = new XMLHttpRequest();
http.open("GET", "/login" + bodyString, true);
http.send(null);
http.onreadystatechange = function() {
if (http.readyState === 4) {
var response = JSON.parse(http.responseText.trim());
callback(response);
}
}
async function exampleLoginAPICall(values) {
let formData = new FormData()
formData.append('email', values.email);
formData.append('password', values.password);

return await fetch('/login', {method: 'POST', body: formData})
.then(response => response.json())
.then((data) => {
return data;
});
}

function isLivenessEnabled(){
Expand Down Expand Up @@ -291,7 +290,7 @@ window.onload = function(event) {
return passedCheck;
}

document.querySelector('#loginBtn').addEventListener('click', function() {
document.querySelector('#loginBtn').addEventListener('click', async function() {
var em = document.querySelector('input[name="email"]').value;
var pass = document.querySelector('input[name="password"]').value;
var loginCreds = {
Expand All @@ -301,26 +300,26 @@ window.onload = function(event) {

if (validateCredentialsFormat(loginCreds)) {
showLoader(true);
exampleLoginAPICall(loginCreds, function(response) {
if (response.responseCode === "SUCC" && response.token) {
window.loggedIn = true;
window.myVoiceIt.setSecureToken(response.token);
if(window.frontEndInitialized){
showLoader(false);
showElement('#biometricOptions');
}
hideElement('#loginBtn');
hideElement('#formOverlay');
showMessage('Please choose a 2FA verification option below');
} else {
if(window.frontEndInitialized){
showLoader(false);
}
// hideElement('#loginBtn');
// hideElement('#formOverlay');
showMessage(response.message, true);
const response = await exampleLoginAPICall(loginCreds);

if (response.responseCode === "SUCC" && response.token) {
window.loggedIn = true;
window.myVoiceIt.setSecureToken(response.token);
if(window.frontEndInitialized){
showLoader(false);
showElement('#biometricOptions');
}
});
hideElement('#loginBtn');
hideElement('#formOverlay');
showMessage('Please choose a 2FA verification option below');
} else {
if(window.frontEndInitialized){
showLoader(false);
}
// hideElement('#loginBtn');
// hideElement('#formOverlay');
showMessage(response.message, true);
}
}

});
Expand Down
17 changes: 9 additions & 8 deletions node-server-example/server.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ const bodyParser = require('body-parser')
const config = require('./config')
const VoiceIt2WebSDK = require('../voiceit-node-websdk')
// const = require('../voiceit-node-websdk/tokenGenerator')
const app = express()
const app = express();
const port = 3000
let test = '';

Expand All @@ -15,20 +15,21 @@ app.use(session({
secret: 'supersecretsessionkey',
resave: false,
saveUninitialized: true,
}))
}));

app.use('/favicon.ico', express.static('public/images/favicon.ico'));
// parse application/json
app.use(bodyParser.json())
app.use(bodyParser.json());
// parse application/x-www-form-urlencoded
app.use(bodyParser.urlencoded({ extended: true }))
app.use(bodyParser.urlencoded({ extended: true }));
// for parsing multipart/form-data
const multer = require('multer')()
app.use(multer.array());
// serve all static files in public directory
app.use(express.static('public'))
app.use(express.static('public'));

app.get('/login', function (req, res) {
if(req.query.email === config.DEMO_EMAIL && req.query.password === config.DEMO_PASSWORD){
app.post('/login', function (req, res) {
if(req.body.email === config.DEMO_EMAIL && req.body.password === config.DEMO_PASSWORD){
let generatedToken = '';
const userId = config.VOICEIT_TEST_USER_ID;
if (userId.substring(0,4) === 'usr_'){
Expand All @@ -44,7 +45,7 @@ app.get('/login', function (req, res) {
'message' : 'Successfully authenticated user',
'token' : generatedToken
});
} else if (req.query.password !== config.DEMO_PASSWORD){
} else if (req.body.password !== config.DEMO_PASSWORD){
res.json({
'responseCode': 'INPW',
'message' : 'Incorrect Password'
Expand Down
59 changes: 30 additions & 29 deletions php-server-example/js/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -52,17 +52,16 @@ function showForTime(elementSelector, timeInSeconds){
}, timeInSeconds + 200);
}

function exampleLoginAPICall(values, callback) {
var bodyString = '?email=' + values.email + '&password=' + values.password;
var http = new XMLHttpRequest();
http.open("GET", "/login" + bodyString, true);
http.send(null);
http.onreadystatechange = function() {
if (http.readyState === 4) {
var response = JSON.parse(http.responseText.trim());
callback(response);
}
}
async function exampleLoginAPICall(values) {
let formData = new FormData()
formData.append('email', values.email);
formData.append('password', values.password);

return await fetch('/login', {method: 'POST', body: formData})
.then(response => response.json())
.then((data) => {
return data;
});
}

function isLivenessEnabled(){
Expand Down Expand Up @@ -243,7 +242,7 @@ window.onload = function(event) {
return passedCheck;
}

document.querySelector('#loginBtn').addEventListener('click', function() {
document.querySelector('#loginBtn').addEventListener('click', async function() {
var em = document.querySelector('input[name="email"]').value;
var pass = document.querySelector('input[name="password"]').value;
var loginCreds = {
Expand All @@ -253,24 +252,26 @@ window.onload = function(event) {

if (validateCredentialsFormat(loginCreds)) {
showLoader(true);
exampleLoginAPICall(loginCreds, function(response) {
if (response.responseCode === "SUCC") {
window.loggedIn = true;
window.myVoiceIt.setSecureToken(response.token);
if(window.frontEndInitialized){
showLoader(false);
showElement('#biometricOptions');
}
hideElement('#loginBtn');
hideElement('#formOverlay');
showMessage('Please choose a 2FA verification option below');
} else {
if(window.frontEndInitialized){
showLoader(false);
}
showMessage(response.message, true);
const response = await exampleLoginAPICall(loginCreds);

if (response.responseCode === "SUCC" && response.token) {
window.loggedIn = true;
window.myVoiceIt.setSecureToken(response.token);
if(window.frontEndInitialized){
showLoader(false);
showElement('#biometricOptions');
}
});
hideElement('#loginBtn');
hideElement('#formOverlay');
showMessage('Please choose a 2FA verification option below');
} else {
if(window.frontEndInitialized){
showLoader(false);
}
// hideElement('#loginBtn');
// hideElement('#formOverlay');
showMessage(response.message, true);
}
}

});
Expand Down
4 changes: 2 additions & 2 deletions php-server-example/login/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
include('../config.php');


$email = "".$_GET["email"];
$password = "".$_GET["password"];
$email = "".$_POST["email"];
$password = "".$_POST["password"];

if($email == $DEMO_EMAIL && $password == $DEMO_PASSWORD){
header("HTTP/1.1 200 OK");
Expand Down

0 comments on commit e76689d

Please sign in to comment.