FOSUserBundle, password (plainPassword) are not encrypted on submit POST form

Question

In my Symfony project, I am using the FOS user bundle.

In my secutity.yml I have this in order to use bcrypt encoder:

security:
    # FOS UserBundle needles
    encoders:
        Symfony\Component\Security\Core\User\User: bcrypt
        MyNamespace\MyBundle\Entity\User: bcrypt
        FOS\UserBundle\Model\UserInterface: bcrypt

I call the fos user registration form in an embeded form like this:

$builder
  ->add('contactPhone')
  ->add('contactMobilePhone')
  ->add('user', 'fos_user_registration', array(
                                               'label' => false,
      ))

It renders me this for example:

But when I submit the form, I could see in the network console browser that my password are in plain text and everybody could use them.

So I can recover all datas of my POST request in the console browser:

my_form[user][email]=test@test.com

my_form[contactPhone]=0404040404

my_form[contactMobilePhone]=0606060606

my_form[user][username]=test

my_form[user][plainPassword][first]=test // first password entry

my_form[user][plainPassword][second]=test // verification

my_form[save] // submit my_form[_token_consumer]=// no need to see him

You could understand That iit's not secured. I need to encode the password when I submit the form in order to not allow everybody to see them.

Note that the same thing occured when I log myself with the FOSUserBundle user login form.

score 2 · Answer 1 · answered Feb 15 '16 at 15:55

2

Every data sent trought a http connection can be seen by someone in your route to the server (man in the middle attack).

type="password" only hides the character on-screen, and even other programs on your computer can read the data.

The only way to protect the data is to send it trought SSL (HTTPS instead of HTTP)

answered Feb 15 '16 at 15:55

Puya Sarmidani

1,226
9
26

1

http://symfony.com/doc/current/cookbook/security/force_https.html will help you with that – Puya Sarmidani Feb 15 '16 at 16:03
thank you for your link and the force https, I am looking for something like this, I will try your suggestion ! – french_dev Feb 16 '16 at 08:45
1

You should use TLS (HTTPS) encryption because SSL has a know bug and it will be deprecated – fcpauldiaz Feb 17 '16 at 20:46

score 1 · Accepted Answer · answered Feb 15 '16 at 15:57

I don't mean to be the bearer of bad news but this flow you are encountering is expected. I will assume, within the database that your users passwords are in fact, encrypted.

The form data itself, should not contain any type of encryption. It's once you submit the form data to the server side that the data becomes encrypted. To properly encrypt the use input, the plain values must be submitted to the server. If you did any type of 'pre-encryption', you would need to change the flow of your registration process to validate the hash and allow it to be inserted into the db, but that's not recommended.

If you are worried about somebody else using this data to make XSS attacks, then CORS/CSRF is what you'll need to set up to alleviate that problem.

Why do I say your current issue is not a problem? Well, if you go to just about any site with a registration form, and submit it, you will see the plaintext password in the request parameters as it is normal. Facebook and Google both send the plaintext password on login/registration. Why? Because it's fine and expected behavior.

be reassured in my DB the passwords are encoded and encrypted with `bcrypt`, and my application will be on a https server later. That I was looking for is to be sure that my code is secure and if this browser behavior is "normal" — french_dev, Feb 15 '16 at 16:15
I think my answer explains how/why it is normal. I did not mention SSL since it was not within the scope of your question. If this answers your question, please mark it as so. If not, please explain what additional information is necessary. — 0xMatt, Feb 15 '16 at 16:41

FOSUserBundle, password (plainPassword) are not encrypted on submit POST form

2 Answers2