Forum

We’re in the process of performing OWASP security tests on our web application. The tool that we’re using to execute these tests is WebScarab. This is our first attempt at using a security testing tool on our application. We’ve observed that WebScarab logs the user name and password in one post request when the application is performing authentication. The request log data is listed below. The user name and password control names and inputted data are listed in bold. Is there any way that we can mask this sensitive data from getting logged by WebScarab or any similar testing or hacking tool? Our application is protected through SSL. Our main concern is preventing local access to sensitive data from unauthorized users.

POST https://s8:443/default.aspx HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: https://s8/

Content-Type: application/x-www-form-urlencoded; charset=utf-8

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)

Host: s8

Content-length: 2059

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: TC6_RememberMeCookie=; ASP.NET_SessionId=iciptkyckmut0u55hqlvtn24; LoginRedirectCallback=9D1D00C38B372C003E63DDB3EA767A7BC4F8A624E7C5CAFA03C9DB50DF7FCEAA6BDD9E7A4C192B8BED52C997FE2C14D05DDFF06BA445A53B1866E8A0C6FE53D0CE218587550AA68F650655F783430B0D9CB14561692129E5A215142CA8824D6847F4DE86F904F9AAC71682039517757605CA4C55

 

__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUKLTQ5MTgwNDkwNmQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgcFRGN0bDAwJFBhZ2VDb250ZW50UGxhY2VIb2xkZXIkTWVzc2FnZURpYWxvZyRNZXNzYWdlRGlhbG9nUG9wdXBDb250cm9sBYgBY3RsMDAkUGFnZUNvbnRlbnRQbGFjZUhvbGRlciRNZXNzYWdlRGlhbG9nJE1lc3NhZ2VEaWFsb2dQb3B1cENvbnRyb2wkTWVzc2FnZURpYWxvZ0NhbGxiYWNrUGFuZWwkTWVzc2FnZURpYWxvZ1BhbmVsJE1lc3NhZ2VEaWFsb2dPa0J1dHRvbgWMAWN0bDAwJFBhZ2VDb250ZW50UGxhY2VIb2xkZXIkTWVzc2FnZURpYWxvZyRNZXNzYWdlRGlhbG9nUG9wdXBDb250cm9sJE1lc3NhZ2VEaWFsb2dDYWxsYmFja1BhbmVsJE1lc3NhZ2VEaWFsb2dQYW5lbCRNZXNzYWdlRGlhbG9nQ2FuY2VsQnV0dG9uBYkBY3RsMDAkUGFnZUNvbnRlbnRQbGFjZUhvbGRlciRNZXNzYWdlRGlhbG9nJE1lc3NhZ2VEaWFsb2dQb3B1cENvbnRyb2wkTWVzc2FnZURpYWxvZ0NhbGxiYWNrUGFuZWwkTWVzc2FnZURpYWxvZ1BhbmVsJE1lc3NhZ2VEaWFsb2dZZXNCdXR0b24FiAFjdGwwMCRQYWdlQ29udGVudFBsYWNlSG9sZGVyJE1lc3NhZ2VEaWFsb2ckTWVzc2FnZURpYWxvZ1BvcHVwQ29udHJvbCRNZXNzYWdlRGlhbG9nQ2FsbGJhY2tQYW5lbCRNZXNzYWdlRGlhbG9nUGFuZWwkTWVzc2FnZURpYWxvZ05vQnV0dG9uBS5jdGwwMCRQYWdlQ29udGVudFBsYWNlSG9sZGVyJE1haW50ZW5hbmNlRGlhbG9nBTNjdGwwMCRQYWdlQ29udGVudFBsYWNlSG9sZGVyJExvZ2luUGFuZWwkTG9naW5CdXR0b25SiJnlsL%2BBMXFkz3MSGsq3N1khmA%3D%3D&__SCROLLPOSITIONX=0&__SCROLLPOSITIONY=0&ctl00_PageContentPlaceHolder_MessageDialog_MessageDialogPopupControlWS=0%3A0%3A-1%3A-10000%3A-10000%3A0%3A400px%3A-10000%3A1&ctl00_PageContentPlaceHolder_MaintenanceDialogWS=0%3A0%3A-1%3A-10000%3A-10000%3A0%3A400px%3A200px%3A1&ctl00%24PageContentPlaceHolder%24LoginPanel%24UserNameTextBox=INDIVIDUAL&ctl00%24PageContentPlaceHolder%24LoginPanel%24PasswordTextBox=individual&ctl00%24PageContentPlaceHolder%24LoginPanel%24RememberMeCheckBox=U&ctl00%24PageContentPlaceHolder%24LoginPanel%24AlwaysLoginCheckBox=U&DXScript=1_44%2C1_76%2C1_69%2C1_67%2C1_43%2C1_66%2C2_34%2C2_40%2C2_27%2C1_42%2C1_59%2C2_41%2C2_30&DXScript=1_44%2C1_76%2C1_69%2C1_67%2C1_43%2C1_66%2C2_34%2C2_40%2C2_27%2C1_42%2C1_59%2C2_41%2C2_30&__CALLBACKID=ctl00%24PageContentPlaceHolder%24LoginCallback&__CALLBACKPARAM=c0%3A&__EVENTVALIDATION=%2FwEWBQKY9%2BHRBwLQivDODgKG%2F%2B%2BEDALU2p2OAQK50%2F%2B7DohZZFWlzm29ejCfTodu5w1PDwmI

 

You need to be a member of OWASP to add comments!

Join OWASP

Email me when people reply –