Hi, I could do with some guidance reguarding password encryption.
I've written a script to login to a HTTPS website and retrieve a session token. I'm using OpenSSL and have created the certificates which appear to work.
My concern is whether or not the username and password are being sent in plain text in the content of the POST. Do I need to encrypt them before posting? If so, how do I do that?
Here is the code:
#!c:\perl\bin\perl -w use warnings; use strict; #use Crypt::SSLeay; use LWP::UserAgent; use Net::SSL (); # From Crypt-SSLeay use Data::Printer; use Time::HiRes qw(time); #use HTTP::Request::Common; #use LWP::Debug qw(+); #use IO::Socket::SSL qw(debug3); #BEGIN { # $Net::HTTPS::SSL_SOCKET_CLASS = "Net::SSL"; # Force use of Net::S +SL #} my $loginUrl = 'https://xxxxxxxxxxx.com/api/login'; my $username = "xxxxx"; my $password = "yyyyy"; my $appkey = "abcde12345"; my $ssid; $ENV{HTTPS_DEBUG} = 1; $ENV{HTTPS_CERT_FILE} = "C:/OpenSSL-Win32/bin/client-2048.crt"; $ENV{HTTPS_KEY_FILE} = "C:/OpenSSL-Win32/bin/client-2048.key"; $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; my $ua = LWP::UserAgent->new; $ua->timeout(15); my $loginReq = HTTP::Request->new(POST => $loginUrl ); $loginReq->header( 'Accept'=>"application/json", 'X-Application'=>$appkey, ); $loginReq->content_type('application/x-www-form-urlencoded'); $loginReq->content("username=${username}&password=${password}"); print "\n\nLogin....\n\n"; my $loginRes = eval { $ua->request( $loginReq ) }; #print p($loginRes); print "\n\nas_string:\n".$loginRes->as_string; print "\n\nmessage:\n".$loginRes->message; print "\n\ncontent:\n".$loginRes->content; if ( ($loginRes) and ($loginRes->message eq "OK") ){ if ( $loginRes->content =~ /{"sessionToken":"(.*?)","loginStatus": +"SUCCESS"}/ ){ $ssid = $1; } } print "\n\nssid = $1 \n\n"; exit;
And here is the output:
Login.... SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A as_string: HTTP/1.1 200 OK Connection: close Date: Thu, 06 Feb 2014 15:00:47 GMT Content-Length: 87 Content-Type: application/json;charset=UTF-8 Client-Date: Thu, 06 Feb 2014 15:00:16 GMT Client-Peer: 84.20.200.150:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Netwo +rk/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign +Class 3 International Server CA - G3 Client-SSL-Cert-Subject: /C=GB/ST=United Kingdom/L=London/O=xxxxxxxxxx +xxxxx/OU=xxxxxxxx/CN=xxxxxxxx.com Client-SSL-Cipher: RC4-SHA Client-SSL-Socket-Class: Net::SSL Client-SSL-Warning: Peer certificate not verified POOL: /Common/PRDSSO {"sessionToken":"HeKrc1c7tRYOwvBkHP5iuR/P/Q6lHqcxLkOKT5+gP5I=","loginS +tatus":"SUCCESS"} message: OK content: {"sessionToken":"HeKrc1c7tRYOwvBkHP5iuR/P/Q6lHqcxLkOKT5+gP5I=","loginS +tatus":"SUCCESS"} ssid = HeKrc1c7tRYOwvBkHP5iuR/P/Q6lHqcyZkOKT5+gP5I=
In reply to HTTPS and LWP - Is my password encrypted by Anonymous Monk
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |