Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Cleanest way to hide password input fields?

Tags:

security

passwords

asp.net

We have some error reporting code that, when an unhandled exception occurs, we send everything over in an email to our groups. This is great except if an unhandled exception occurs on a page with a password field then it's sent over as plain text.

Is there a way to iterate through Request.Form and figure out which item(s) are passwords? This is done at a low level so we can't look for specific controls.

Naturally, we could check to see what type the input box is but I'm not sure if that's the cleanest way. Advice?

like image 866
Kris Avatar asked Nov 25 '25 16:11

Kris

2 Answers

Use a whitelist of field names that you want to email.

There could be hundreds of field names that get POSTed to your server. And password isn't the only field that is sensitive. Depending on your application, there could be other things that should be treated with a little respect.

So, make a list of field names that will assist in you in debugging. These are typically unique identifiers / database keys and such. If you have any parameter names in this list, you can include it in the email.

like image 192
Sripathi Krishnan Avatar answered Nov 27 '25 07:11

Sripathi Krishnan

I've suggested a different solution earlier, but I thought you were going to handle this on the client side. Following your comments I now understand that you need to take care of this on the server side. There may be a way for you to do it, which is not really elegant, but it should work:

Add to all pages a script that collects all password field names into a new client-generated field, like so:

function collectPasswordFields() {
    var inputs = document.getElementsByTagName('input'), list = [];
    for (var i = 0; i < inputs.length; ++i)
        if (inputs[i].type == 'password') list.push(inputs[i].name);
    var field = document.createElement('input');
    field.name = '__password_fields';
    field.value = list.join(',');
    document.getElementsByTagName('form')[0].appendChild(field);
}

Then intercept the additional field in the server-side error handler, and remove the named fields from the email.

Can something like this work for you?

like image 23
Roy Sharon Avatar answered Nov 27 '25 05:11

Roy Sharon
Sign in to Comment

Related questions

ASP.Net MVC AsyncController log request processing time

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!