DataSafe password encryption ...not really

Question

Hi team,I just performed a test with datasafe on version 15.1.0.2. I set my login url to "/user_login.php" and the parameters "username" and "password" for the username/password field of my webpage. I asked datasafe to encrypt and obfuscate both my username and password parameters. then I reloaded my webpage.I entered "kabe_admin" as username and "kabe_password" as password. Then I opened the browser (firefox80.0.1) console and lunched a small script which displays all the forms fields value:javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j&lt;F.length; ++j) { f = F[j]; for (i=0; i&lt;f.length; ++i) { s += f[i].name + ":" + f[i].value + " " + f[i].type +"
"; } } if (s) console.log("Passwords in forms on this page:

" + s); else alert("There are no passwords in forms on this page.");})();&nbsp;I got the following result:&nbsp;Passwords in forms on this page: 
: hidden 
q: text 
:Go! submit 
: hidden 
id:0 select-one 
:Go! submit 
:kabe_admin text 08be7f2d16081800e5fbe4edc855463d5cc54fb3a397ca49d50c3cfe8264b225:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4ed1414f7bfc7c4af165db6e2b448dcddee856cef14d376fd0a0f93356891cea6ce48ab7fa20410 hidden 
:kabe_password password 08be7f2d16081800e3908b0fe720a0fa78171259b4b5ff7e142021740647c372:08be7f2d1601180010d043f60ed0f20d2f34b275f9ce23baa960c9df7db6d1ba49319e1d865eea4a041b67c9c000990995b6b970bf72f8ccdc839ede5b0f1867a8c31c243b82fb013ee662ec07920ca89ecbd4ca664477130129742ef43dd4eda4b79a1d9a94b53f4fe4e37fefa20dc2709bfed517f1710e8a30f48bd6b045e84cadff3b1ac7048d9f hidden 
: submit 
action:login hidden&nbsp;As you can see in the output, I was able to get a clear version of the password ! ok the field name doesn't appear in front of "kabe_password" but nonetheless it is of type "password" and after all the password is visible with this simple JS code !If I can do it, I think that a Malware will more than able to do the same , right ? isn't it the goal of Datasafe to prevent malware from stealing information like this ? Is this a huge bug ? or am I missing something ?&nbsp;PS: This is lab environment and I can share my config if needed. although this can easily be reproduced.many thanks,karim&nbsp;&nbsp;

andrew-f5 · Answer

Did you follow the link here to first confirm the encrypt/obfuscate features are indeed functioning? It seems as if they aren't, possibly due to a misconfiguration or bug.

lb · Answer

Are you sure you have the correct parameter names?

karim · Answer

You can find bellow my config :

very simple, with no special customization except the added login url (/user_login.php) and the username/password parameters.

I'm sure that I am using the correcte parameter names, because they are encrypted/obfuscated when they leave the browser.

I've been told that this profile doesn't protect from "malware in the browser" and that is what my little JS script mimics . is it possible that it's the answer ? or am I hitting a bug here ?

If anyone else can make the same very quick test and ensure that the JS script above displays the parameter values it would be very nice ,

many thanks,

karim

Forum Discussion

DataSafe password encryption ...not really

3 Replies

Recent Discussions

Unwinding the Benefits of Investing in White Label Crypto Wallet

SMTP profile not visible & showing

About AWAF "Redirect URLs" in "Responses and Blocks"

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Automate Let's Encrypt Certificates on BIG-IP

Automate scp transfers using password

Password Safety & Security: Passwords vs. Passphrases