There is no place to enter an encryption password in Katalon Studio.
Does that mean Katalon Studio is using a static encryption passphrase for all encrypted text (when I click Help->Encrypt Text) ?
If something else is going on, please advise.
Currently, I’m a bit concerned about encrypting important passwords if they are easily reversible.
Thanks,
Ken
2 Likes
Yeah, you’re definitely right. I checked out the screenshot on this blog, entered “my new password” into my own copy of Katalon, and sure enough they encrypt to the same thing
That would seem to indicate that the only thing required to decrypt is a copy of Katalon.
The right way to implement something like this would be to generate the encryption key with something the user typed that was then not saved, so they’d need to type it again the next time they open Katalon.
In the mean time, it’s at least effective at *tagging* passwords, so I’m thinking about training everyone to run a script that’d strip the passwords out of the XML before committing their files to Git… plus a reverse version that put them back in (which you’d need to know an actual password to use)… that’d work but it’ll be a lot of effort.
Thanks for confirming the issue exists.
Its a fine product, but if they don’t take security seriously, they have a big problem.
Today, I’m looking at using variables instead, probably by replacing passwords before runtime in a data source file. See:
https://www.katalon.com/resources-center/tutorials/data-driven-testing/ and
https://docs.katalon.com/display/KD/Manage+Test+Data
Here is alternative approach:
This approach does not depend on encryption at all. Let Katalon Studio read credentials from katalon.properties file. Do not include it in the repository. So that nobody, other than you, can see the credentials.
Thank you. I will take a look!