Keep passwords secret in katalon studio not using encrypt text tool

Hi,
is there any way of providing credentials in a login page in a secure way,
without using katalon studio encrypted text tool? (see screenshot)
I’ts pretty easy to decrypt any text encrypted by katalon.
This worries me a bit since anyone with access to source code and katalon might get sensitive data as login credentials.
In essence below code is what I pretend to avoid:
‘Introduce passsword’
WebUI.setEncryptedText(findTestObject(‘Object Repository/Frontend/login page/input_Password_password’),
GlobalVariable.password)
Regards.
KS1

That’s a bold claim. If you have such an easy method, you should contact the developers (perhaps on GitHub) and explain how it’s so easy.

Hi Russ,
see screenshot in which you may see decrypted text from encrypted one (password / 8SQVv/p9jVScEs4/2CZsLw==). For obvious reasons I’m not sharing the code to decrypt.

Now I understand. Your Decrypt() code covers the same territory as the built in code – right?

I don’t see the issue, I’m afraid. Perhaps a change in approach might alleviate your concerns?

  1. Don’t call your GlobalVariable “password”
  2. Call a method (perhaps in an external JavaScript file) that conducts the login procedure. Rather than call it something like “Login” call it something obscure, like “cabbage”.
  3. Don’t be so clear about the naming of the Test Object either – call that something obscure, too.
  4. Find a circumspect path to access the password input on the page (there’s always a way to make that more obscure).

Also, analyze the possible attack vectors – who exactly can gain access to your pipeline? If you reduce that access to the bare minimum, you might feel better about your perceived lack of security.

Lastly, consider creating an account before testing begins using a randomly generated name and password. Use that account for the duration of the test suite and delete the account at the end.

Hope that helps.

1 Like

Hi Russ,
thanks for your reply, but all your proposals don’t really fix the issue just provide camouflage.It’s possible and easy to get sensitive data jus with IDE Katalon and the encrypted data.

Generally speaking, storing whatever credentials within the code is a bad idea, no matter if are encrypted or not.
Such should be passed at runtime by the CI.
How to store them secure with the CI is another story, it depends on the tool used and who have access to it.

Hi Bionel, I agrre with you about storing sensitive data within the code.
In this particular case we’re talking about Katalon and the thing is how to pass ,for instance, username and password if you don’t store it within the code, notice that this must be done in an automated way.How to do that with katalon?

Well … i see you are using a Global variable named ‘password’.
So, give it a default / dummy value when you push your code to Git.

With KRE you can override a Global variable at runtime by using the g_ option:

-g_<variable_name>
Override Execution Profile variables.

Example:-g_userName="admin"

see: Command Syntax (Command-line/Console Mode Execution) | Katalon Docs

Hi Bionel, thanks for your reply but it’s still the same case that with Russ, you proposal is only camouflage you just hide the issue don’t resolve it. By doing what you and Russ mention you just make a bit more difficult (just a bit) to locate the sensitive data within the code but it’s still possible to get that data and decrypted it.

I don’t understand what do you mean by ‘camouflage’
The password won’t be stored with your code but only in the CI vault.
Period.
It may be shown something in the execution log but this is up to you were you publish them

All except the random account. Not even the tester knows what it is.

I agree that security through obscurity is not robust security. But you’re not explaining where you think the problem lies, i.e, where in your pipeline you think the attack vector lies. I (we) can’t know that, only you can know that. You are clearly concerned about a possibility of attack somewhere, but where? Is that point outside the Katalon “domain”? If so, it’s not really a Katalon issue.

My advice: if its a pipeline issue, follow @bionel’s advice. He’s the pipeline guru round here.

Hi Bionel, sorry I didn’t get you well,modifying a global variable that stores the secret during CLI execution miht be a solution to avoid having sensitive data within your code.Thanks for this mate!

2 Likes

I agree with this, you should take this approach if possible. This is what we do all the time. Create a random, throwaway user account with a randomized password. You can either do this once at the beginning of your overall suite and remove/deactivate this user at the end, or, even better, create a new, randomized user for each relevant test case.

Otherwise, the only other way is as @bionel mentioned, you need to retrieve the password (and any other sensitive data) programmatically from a secure source.