1

I have a wcf service protected with basic authentication. This is being called from MS Dynamics CRM JavaScript web resource using jQuery ajax call as;

 $.ajax({
                async: false,
                type: "POST",
                beforeSend : function(req) {
                    req.setRequestHeader('Authorization', 'Basic ' + btoa(BasicAuth));                   
                },
                contentType: "application/json; charset=utf-8",
                url: serviceUrl + "/GetData",

When I call the service, the authorization header is seen in browser developer tool window. enter image description here

This is leading to vulnerability as any attacker can use this information.

Can someone please advise how this can be corrected?

VJOY
  • 3,752
  • 12
  • 57
  • 90
  • 2
    "any attacker", well, only the user of the browser where it's occurring...unless you're not using HTTPS. Short answer: Make sure you're using HTTPS. P.S. `async: false` in AJAX is deprecated and an anti-pattern. There should be no reason to use it. Instead use promises/callbacks correctly to process the response. – ADyson Sep 27 '19 at 14:23
  • 2
    This is a fundamental "issue" with authentication. The best you can do in this case is likely to ensure you're using HTTPS – phuzi Sep 27 '19 at 14:23
  • We have been trying to convince our "security tester" that this resource will be running on the users web browser. – VJOY Sep 27 '19 at 14:26
  • 1
    In what way are they not "convinced"...they can't recognise a browser window? I'm not sure what you are trying to say...what is the tester's concern, specifically? And...are you using HTTPS right now for this AJAX request, or not? – ADyson Sep 27 '19 at 14:26
  • on production it is https. Testers saying that basic authentication credentials should not be visible in the browser, even though those are encoded/encrypted. – VJOY Sep 27 '19 at 14:28
  • 1
    "Testers saying that basic authentication credentials should not be visible in the browser"....they are fundamentally wrong, this is an impossible requirement. The main thing is to ensure they are not visible **outside** the browser (which is the primary reason for using HTTPS). Anyway, surely the user is the one who entered the credentials to begin with?? – ADyson Sep 27 '19 at 14:29
  • In our case, these are seeded credentials for WCF services which interact with dynamics CRM database. – VJOY Sep 27 '19 at 14:30
  • in that case theoretically the user could steal them yes. But then when they call the service using them, they can still only do whatever that account has permission to do...so presumably not any more than the user can already do anyway (or else you should not let their browser session use those credentials). The only other threat I can think of is some kind of XSS injection where a malicious script unwittingly included in the page could try and steal the creds. So you should ensure you have general anti-XSS measures in place anyway (as you would in any web app) – ADyson Sep 27 '19 at 14:34

0 Answers0