Endpoint login exposes user credentials via query string

[colton-nicotera]

Frontend Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, using docker compose
• Docker, single container deploying all components
• npm run start
• Other (please specify below)

Backend (Jet Stream) Deployment type

• Cloud Foundry Application (cf push)
• Kubernetes, using a helm chart
• Docker, using docker compose
• Docker, single container deploying all components
• Other (please specify below)

Detailed Description

Logging into an endpoint (Navigating to /endpoints and selecting "register") passes the login credentials in the request query string. This could disclose the login credentials to third parties.

Request URL:

/pp/v1/auth/login/cnsi?username=username&password=password&cnsi_guid=MYGUID&connect_type=creds&system_shared=false

Context

This is a security issue that could expose the user's credentials to third parties.

Possible Implementation

The login credentials used to login to Stratos correctly pass the credentials in the body of the request. Emulating this request would correctly secure the user's credentials.

Request URL:

/pp/v1/auth/login/uaa

Form data passed:

username: johndoe
password: johndoe

[colton-nicotera]

@richard-cox is this planned to be fixed in the near future?

[richard-cox]

@nwmac I thought we changed this as part of a previous PR, but master looks unchanged. What's the latest update?

[colton-nicotera]

Will this be resolved soon?

[richard-cox]

I spoke to @nwmac a while back about this issue. I think the general feeling is as we use https the entire url is encrypted and we don't log the credentials in the backend.. so we're generally ok for the moment. We have no plans to change this in the near future.

[brittag]

Hi @richard-cox and @nwmac! My team would encourage reviewing this issue again and planning a place for it in your backlog, as part of good "defense in depth" security practices.

It's important to use the best practice of not embedding credentials in query strings, even if the system is not designed to actively log and monitor those query strings. This is because something could go wrong in a team's infrastructure or in another part of the system architecture that enables monitoring by an attacker or getting logged unexpectedly (which then could allow those logs to be reviewed by an attacker).

Strong security practices can help enable use of Stratos in a broader range of environments, including regulated and audited environments. Happy to answer questions or provide more comments if helpful - thank you!

[richard-cox]

Hi @brittag, thanks for commenting. We'll look into this in our next sprint (due to start next week)