I have a simple login form on my website, using .Net MVC. When the form is submitted a partial view is loaded with a success message. A simplified version of the form can be found here: https://jsfiddle.net/hev4f64f/10/
The Problem:
When the above form is loaded in MobileSafari (jsfiddle.net/hev4f64f/10/show/) using simulator or iPad and submitted, on inspecting the process memory dump I see the password in memory in plain t text.
I am using the method described here for inspecting MobileSafari memory dump, and then searching for the password using the following command:
grep -a 'P#$$W0Rd' core.1234
Following is a sample occurrence of the password "southpark" in the dump.
NS.boolval$clasNSNumber
NS.object.3 NS.bytes southpark$clasNSStrinNS.key.9
NS.byte'ControlLooksLikePasswordCredentialField$clasNSString NS.key.11
NS.byte)ControlLooksLikeCreditCardCardholderField$clasNSString
NS.object.21 $classNSNull NS.key.12
NS.byteControlIsDisabled$clasNSString
Not sure what "ControlLooksLikePasswordCredentialField" in the dump means.
My initial guess was it has something to do with the Safari Password Manager, but I have set autocomplete=off in the form. I am also clearing the fields in the client after form submission.
Any idea how to get rid of the password in memory?
For anyone else who comes across the same issue, I implemented a workaround solution using plugins.jquery.com/disable-autocomplete
Related
I am trying to automate web form data entry by using selenium VBA. We need to submit the forms on our organization SharePoint site, which requires us to log-in. I have already logged into the account. Please see the code below. Whenever I open the page (last step), there is a pop-up window asking me to enter the username and password again. I need to pass this step in order to get to the form that I want to enter all my information. I am not quite sure if this is an extra security that our IT team set up, but I could not inspect the page. I have included a screenshot here. I am hoping to inspect the pop-up window somehow so that I could use FindElementById. Thank you in advance for your reply.
obj.Start "chrome", ""
obj.Get "link"
obj.FindElementById("passwordInput").SendKeys ("password")
obj.FindElementById("submitButton").Submit
obj.FindElementById("idSIButton9").Submit
obj.FindElementByClass("reg-button").Click
obj.Wait ("1000")
obj.FindElementByXPath("//div[#id='slwp_ctl00_ctl41_g_f6ad5b95_2503_406f_ad81_eb5b3f59cad2']/div/div[3]/ul/li[10]/div/a").Click
I had a similar issue. However, in my case the dialog box was coming even before the login page was displayed.
The solution to the issue is given here
Maybe something similar will help for you. Please try following steps.
I am not sure of the syntax in VBA. But these steps should help you.
Get the current URL.
In java this can be done by using the getCurrentUrl() method of WebDriver interface.
Modify this current URL to include username and password.
The modified URL should be of in the following format:
http://username:password#example.com/
In java, this can be done by using the various methods of String class,
Submit the modified URL.
In java this can be done by using the get(String URL) method of WebDriver interface.
I have recently started to pick up frontend stuffs and been writing a very simple web app for my workplace where each of the users are required to log in. They have already been given a preset account (pattern: Txx, xx stands for staff number) and a password, saved in a MySQL.
login box on UI
input type is password
Log-in was technically workable. Originally as I had set input type = "password" so the password box showed ******** when they did the input on browser.
Nevertheless, when I checked phpMyAdmin page and get into the 'user' table of my DB, where usernames and passwords are saved for PHP checking, I can actually see the password (I logged in with root...)!
blue paints hiding exact numerical passwords the users use
Isn't it supposed that even admin(root?) cannot see the password?
Is it that chrome browser might actually have understood the 'type is password' and encrypted the input and send to PHP which programs to save password on MySQL? (I did not use any functions like md5(xxx) in my HTML codes however...)
Is anything wrong (or should be done) to mySQL setting? Or did Chrome actually NOT encrypt the inputs before sending to PHP?
Chrome does not encrypt the password for you. you have to do it yourself by hashing it when saving it to your database
Read more about it here
http://php.net/manual/en/function.password-hash.php
So I have already created a database using the pgadmin3 in postgresql. I have a set of email-ids and passwords. The passwords which I have stored are hashed, i.e. by using pwd_context.hash(password) from the pass.libs.
I have stored them as shown below in the database. Now I have to create another login form in html to authenticate. I am new to flask, but I have seen something called as flask-login. How to compare the password entered in cleartext with the hashed password in database.
Flask-login provides a set of functions... for user login,logout and so on. More information on Flask-login can be found at https://flask-login.readthedocs.io/en/latest/.
For creating and checking a password hash: When working with Flask often werkzeug security is used to create/hash and check passwords. A snippet in which this is demonstrated can be found here : http://flask.pocoo.org/snippets/54/
Finally an internet search (I have not used any of these tutorial/pages before) retrieved following page: https://blog.miguelgrinberg.com/post/two-factor-authentication-with-flask with a quick browse of the page I found an example of using flask-login and werkzeug for user-login/logout under the title 'The First Factor: Password Authentication'. A quick pointer when using this tutorial is that there have been some changes in naming since the page has come online. For example flask.ext.login has been renamed to flask_login. The tutorial http://blog.sampingchuang.com/setup-user-authentication-in-flask/ also provides more information on flask-login and werkzeug. The pointer on renaming is also valid for this one.
I am working with TS-7500 (ARM 9) board running Debian Linux (Linux ts7500 2.6.24.4). It is connected to a couple of sensors and is running driver code to talk to these sensors.
Every time the C program starts, it reads a couple of config-parameters from a config-file and starts sensors with those values.
So the task at hand is : presenting a web interface to show/edit these config-parameters to user. The task of the web interface can be summarized in four steps :
Read config-parameters from the config-file and show the current configuration
Allow user to change the configuration
Capture and save the changes to same config-file
These config-parameters could be presented as drop-down menu items or radio-buttons. And I have a linux background script which restarts the C prg when config-file is modified.
I know TS-7500 runs Tomcat. Now please suggest a good way to handle this problem. I have heard about using Servlet and JSPs (am not very familiar with those actually). Which one of them is suitable to generate HTML pages dynamically ? (as I see everytime I need to generate a new HTML page by selecting the current configuration while displaying the page).
Sorry for being very elaborate !
EDIT : Beeps ! No reply ? Come on guyz, is the question not clear ? Or no one has ever faced a similar problem (design problem) ??
The solution would be to use a PHP in addition with Apache web server ! PHP script could be used to
Read the config file and capturing the parameters
Generate a HTML form (by pre-selecting the dropdown menus and radio buttons from the already read parameters)
And capturing the new edits and saving them to config file.
PHP script must be placed in /var/www/ directory of the embedded board. Then from any system, it could be accessed just by keying the IP address of the board and the script name using a simple web browser.
I'm trying to write 2 simple tests for my website. It's my first time doing this, and I'm running into a bit of an issue
The test specs are super simple: just fill_in the email + password fields, then I click "signup" or "login" based on which I am testing.
I am facing several issues sadly:
After the click_on("...") call, I have a page.should have_content call. But this never seems to succeed. Selenium closes firefox before I see a successful sign up or login.
For login, I'm not sure how to make sure that the test is using my local database. I am on mysql, and I know my DB is running (I can run queries on mysql administrator), but I don't know if the login is using my DB, and I don't know if the signup is actually putting a new record in my DB.
Thanks a lot for your help in advance!
Ringo
Rspec will use a different database as development and production.
You can check the name of the database in config/database.yml with the environment 'test'.
To see the page which is testing, you can call the method save_and_open_page.
It will open a page in your browser and you will be able to know what's going on.