Basic authentication in Web Service Request exposes password


#1

Username and password must be provided. The “Show Password” checkbox displays the password. This is a security issue. Otherwise, what other options can be used to not display password in the REST objects.

I know the password can be passed in on the fly, however, this doesn’t solve the problem, and I believe the newly release encrypted password capability will not work with these objects.

Is this checkbox really necessary? Or what other options in securing passwords here are available?


#2

I see there is no response, so let me request the following:

Please remove the “Show Password” checkbox.

This should be a very simple change. Actually, I honestly can’t fathom, given the nature of this tool, why you would have it there.

Katalon have recently introduced encrypting text and the proxy password, this will be in line with hiding plain text passwords, and should be a trivial change.


#3

Nick,

We understood the situation. This request will be put into our backlog for further investigation. Thank you so much for the suggestion.


#4

I want to tag along here with a related problem (basic auth and encrypted passwords) - but can move this into a separate post if desired

I cannot find any way to use encrypted passwords from execution profiles in basic auth on web pages.

Approaches tried:

- Encrypt https://user:pass@dev.site.com in the execution profile. navigateToUrl(GlobalVariable.url) will not decrypt the password. (passing the url unencrypted works, but then I must save the password unenctrypted)
- Authenticate(url, user, pass) - this also will not decrypt the password
- Write a Custom Keyword and build the user:pass-URL myself using setEncryptedText(Element, text) , but in this case there is not Element to write into.

Version tried: Windows Katalon Studio, 5.4.2


#5

The unencrypted password on the REST objects is a huge flaw.

For my own case, simply removing the “Show Password” checkbox will satisfy my immediate requirement. This is such a simple change, but I can understand if you want to develop a more robust solution

Why should it be done?

Katalon is a very good tool, and is used by teams of people. The “Show Password” approach to passwords is typically used for single accessible configurations (like a mobile phone). If the Test source is available, then it’s a trivial matter for anyone to “show” the password. A huge security breach. In fact, this breach has meant that we have not been able to use Katalon for some of our testing and have had to revert to other methods. A real shame, because I think it’s a great tool.