Burp community forum

Password seen in clear text on Burp tool

Garry | Last updated: Aug 27, 2019 12:48PM UTC

Hi , My website has login form. I have entered username and password and intercepted in Burp proxy. Password is seen in clear text in request body Is this vulnerability ? Also, please explain how is this possible ? Is yes, as a PEN tester what is the recommendation to be given for encrypting password in the request body?

Liam, PortSwigger Agent | Last updated: Aug 28, 2019 07:28AM UTC

Burp Suite breaks the SSL connection. However, Burp's own SSL certificate is installed in your browser. Very few applications hash a password before it is sent to the server. Burp identifies when an application transmits passwords over unencrypted connections: - https://portswigger.net/kb/issues/00300100_cleartext-submission-of-password Please let us know if you need any further assistance.

You need to Log in to post a reply. Or register here, for free.