I've been recently thinking on logins, payments and sensitive data handling even in popular web applications, and freaking out a bit to be honest, probably due to ignorance so I needed to ask here.
I'm a bit surprised about how easy it can be for someone capable of introducing proxies (via computer/network) to read credentials and sensitive data and I'm wondering if there's some (preferably well-known) approach for developers to tackle what I GUESS it's a problem.
Let's say you pick a very well-known website with traditional email-password login form option (e.g. airbnb) and:
- Open the BURP Suite
- Click on the "Proxy" tab
- Make sure "Intercept is off"
- Open the browser that you'll use to navigate the site
- Navigate to the site
- Use the traditional email+password login (no social networks buttons), but before clicking on the final "Login" button, turn on the "Intercept is on" button in BURP
- Now click on Log-in and BURP will immediately pause the loading and you'll be able to see something like:
POST /api/v2/login[...]
{[...]"authenticationParams":{"email": "email":"YOUR_EMAIL_HERE","password":"YOUR_PASS_HERE"}}}
Anyone capable of introducing a proxy in my computer/network is able to see in human-readable text, the credentials (username & password).
My question: is there any standard way of preventing this to be easily ready? Is this a normal case?
Thanks in advance and sorry for my base knowledge on the cybersec field.
Absolutely. It's called TLS, and it's why it exists. The majority of websites use HTTPS, which relies on TLS for exactly this reason.
If you're intercepting and decrypting this information over an HTTPS (or other TLS channel), then you've installed a trusted root certificate to allow MITM (machine in the middle) attacks. This intentionally defeats TLS to permit diagnostic work, but should never be done in normal situations.