0

I understand sending passwords in the clear over GET is not considered secure because the query string can be logged by multiple eavesdroppers.

However if I REALLY need to use JSONP to submit a username and password to my server, is there a way to do it?

Maybe some crypto on the back-end and front-end?

I was just trying to have a simple approach to get my users to login to two domains (not sub-domains) at the same time, without breaking CORS rules. Basically, what I get in my logs now is this

GET /login/jsonp?callback=jQuery21403191181201609543_1535388742134&email=email%40gmail.com&password=SjRrNOHzN&_=1535388742135 200 32.987 ms - 130.

I believe such query is not secure.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Emilio
  • 101
  • 2
  • "because the query string can be logged by multiple eavesdroppers" if you are using HTTPS which eavesdroppers do you think about? The query string in the GET part will be encrypted as much as the POST content would be, so no differences there. You can however argue that for example it would be bad for logging since often the whole URL is logged. – Patrick Mevzek Aug 27 '18 at 18:31
  • @PatrickMevzek Not sure, I was thinking about my CDN, and also browser add-ons. People here seem to agree that password over GET (even with https) is not safe: https://security.stackexchange.com/questions/38688/are-get-parameters-secure-over-https https://security.stackexchange.com/questions/30976/can-urls-be-sniffed-when-using-ssl There's also the issue that I would need to remove the sensitive data from my logs. – Emilio Aug 27 '18 at 18:35
  • If the CDN ends the TLS connection, of course it can inspect all HTTP trafic, GET or POST. As for browser add-ons they will also get access, in some way to all GET and POST data, so I fail to see differences there. The first link you give gives exactly same info as my comment above (same encryption, difference in logging often of course), second one speaks about Session Fixation which is an orthogonal problem to HTTPS. – Patrick Mevzek Aug 27 '18 at 18:40
  • @PatrickMevzek I guess the worry would be that the CDN and the browser add-ons are known to log the query string of the requests; however they rarely log the body. / I'm thinking maybe that masking the password with a little bit of crypto using something such as the CSRF token for the key would be a solution for that. What do you think? – Emilio Aug 27 '18 at 18:44
  • Do an AJAX POST query and your login/password would not be in the URL. You may need to expand your question a little more to better understand your use case, as you started in your comment below @.vrtjason answer. – Patrick Mevzek Aug 27 '18 at 18:46
  • @PatrickMevzek AJAX POST won't work. It would break CORS rules. – Emilio Aug 27 '18 at 18:47
  • @PatrickMevzek sorry for the second link, I wanted to quote this one instead: https://security.stackexchange.com/questions/64631/is-it-safe-to-send-clear-usernames-passwords-on-a-https-connection-to-authentica#comment104856_64639 – Emilio Aug 27 '18 at 18:48
  • Based on your current description of the problem, I do not see why. So you need to either expand your question with details or otherwise get incomplete answers. – Patrick Mevzek Aug 27 '18 at 18:48
  • " GETs will be in the clear." when you use HTTPS? I do not think so... Only the hostname (from URL) will be in the clear because for now there is no encrypted SNI. All the rest of HTTP data, including the full URL are inside the TLS stream, so encrypted. But again depends if you are speaking about in transit, or what is in memory and inspected by whom, or what is logged where, etc.... – Patrick Mevzek Aug 27 '18 at 18:50
  • @PatrickMevzek Alright, thanks. I think my crypto solution would be good way to go in this case if the worry is just to avoid logs. – Emilio Aug 27 '18 at 18:51
  • 1
    Why use JSONP instead of CORS with a POST request? JSONP is just an old hack that is unnecessary with CORS support being universal now. – Macil Aug 27 '18 at 20:22
  • @Macil Would that set cookies for both domains? – Emilio Aug 27 '18 at 20:50

1 Answers1

1

JSONP is usually used with a server sending data to a client, wrapped in a function call which gets executed on the client by javascript. Sending data to a server does not require JSONP, it just requires a normal HTTP request.

You should definitely not use the GET method for submitting username + password pairs. Secondly your response from the server should not include the login credentials themselves; the sensitive login data should only go one direction (from the client to the server) and never be reflected back. What I would suggest is two asynchronous calls, one to each server. You probably want to do this in parallel, rather than one after the other, using Promises. Then if both promises resolve and both servers indicate successful login, send back session id's or tokens in the response from each server.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
vrtjason
  • 1,085
  • 9
  • 10