Nick
Katalon Apprentice
05/07/2018

Basic authentication in Web Service Request exposes password

Username and password must be provided. The "Show Password" checkbox displays the password. This is a security issue. Otherwise, what other options can be used to not display password in the REST objects.

I know the password can be passed in on the fly, however, this doesn't solve the problem, and I believe the newly release encrypted password capability will not work with these objects.

Is this checkbox really necessary? Or what other options in securing passwords here are available?
Upvote
Quote

Comments

  • Nick
    Katalon Apprentice
    05/08/2018
    I see there is no response, so let me request the following:

    Please remove the "Show Password" checkbox.

    This should be a very simple change. Actually, I honestly can't fathom, given the nature of this tool, why you would have it there.

    Katalon have recently introduced encrypting text and the proxy password, this will be in line with hiding plain text passwords, and should be a trivial change.
    Upvote
    Quote
  • Trong Bui
    Katalon Moderator
    05/09/2018
    Nick,

    We understood the situation. This request will be put into our backlog for further investigation. Thank you so much for the suggestion.
    Upvote
    Quote
  • Christian R
    Katalon Apprentice
    06/28/2018
    I want to tag along here with a related problem (basic auth and encrypted passwords) - but can move this into a separate post if desired

    I cannot find any way to use encrypted passwords from execution profiles in basic auth on web pages. 

    Approaches tried:

    - Encrypt https://user:pass@dev.site.com in the execution profile.  navigateToUrl(GlobalVariable.url) will not decrypt the password. (passing the url unencrypted works, but then I must save the password unenctrypted)
    - Authenticate(url, user, pass) - this also will not decrypt the password
    - Write a Custom Keyword and build the user:pass-URL myself using setEncryptedText(Element, text) , but in this case there is not Element to write into.


    Version tried: Windows Katalon Studio, 5.4.2

    Upvote
    Quote
  • Nick
    Katalon Apprentice
    08/09/2018
    The unencrypted password on the REST objects is a huge flaw.

    For my own case, simply removing the "Show Password" checkbox will satisfy my immediate requirement. This is such a simple change, but I can understand if you want to develop a more robust solution

    Why should it be done?

    Katalon is a very good tool, and is used by teams of people. The "Show Password" approach to passwords is typically used for single accessible configurations (like a mobile phone). If the Test source is available, then it's a trivial matter for anyone to "show" the password. A huge security breach. In fact, this breach has meant that we have not been able to use Katalon for some of our testing and have had to revert to other methods. A real shame, because I think it's a great tool.
    Upvote
    Quote
Sign In or Register to comment.