git reflog is showing plain text password used as a secret texts or files in Jenkins

We are using Jenkins Freestyle Project to the push the changes on the remote server. We are executing shell script on remote host using ssh for it. To pull the changes on remote host, we are using origin url with git username and git password. The credentials should not be visible in plain text in the url that’s why we have stored them in variables using ‘secret text(s) or file(s)’ option of ‘Build Environment’.

The git credentials are not visible to the users who are using Jenkins for other projects but the remote server is showing git credentials in plain text. Any user with ssh access of the remote server is able to run the git reflog command in the project directory.

Port 22 cannot be opened on the server where gitlab is deployed so we cannot use ssh keys method to create the build in Jenkins. We can use only http method to pull the changes.

Is there any way so we could implement to avoid showing the git credentials in plain text in the project directory.

What’s the term for a hash sent early and plain text revealed later?

I think there is a known pattern where you post the hash of a document, e.g. on Twitter, in order to have its time registered. You could then later publish the document and have it accredited for the time of the hash.

I’m sure someone gave this procedure a name. What is that name?

I found trusted timestamping, but that is a thing for digital certificates, which do not come into play here.

Passing plain text password over HTTPS

My login for POST is over HTTPS. Therefore, I don’t do anything to the provided password before submitting. And I don’t see an issue there unless someone is watching your browser’s developer console. (Tested the Google login. They also share the same approach.)

But I’ve received a concern asking "malicious user succeeds in session hijacking in someway will be able to access the end user credentials". Is this a valid argument? if so, how can I act?

Sending password plain text in POST body is safe? [duplicate]

I recently started learning about pentesting, and I tried to see the request body of a website that I use frequently, and that’s what I saw:

u

(“senha” means “password” in portuguese and “entrar” means “to enter”). My question is: Is this a correct approach? I mean, can someone intercept this data and get my password? And how could this be possible?

Is there any existing obfuscation scheme that makes cipher text indistinguishable from plain text? [migrated]

Suppose a totalitarian government (in the name of anti-terrorism / protection of intellectual property):

  1. has outlawed encryption itself – encryption is only approved for cases where the state has reviewed the design and made sure it can decrypt/inspect the message, and made any unapproved encryption a criminal offense
  2. has total control over anything in and out of the network at ISP-level, as well as anything that passes through web services

How could two citizens Alice and Bob, using approved (and monitored) instant messaging service to set up a secure line of communication, conceal the fact that the communication is encrypted, i.e. to make it indistinguishable from unencrypted data, or at least, make it computationally- or financially-infeasible to distinguish it from plain text?

For example, no one would assume the following message to be encrypted:

  • Across the Great Wall, we can reach every corner in the world.

But it would be assumed that the following is:

  • WZ2A805Wq3rzpiuzE+ZCulgDrn76pVRW5PVUJ4DDadFQD4P9PsTeegbo5CAkqI4yZrO//p
    sYT+ZQkqZ6IrSGng==

  • 599D80F34E56AB7AF3A62BB313E642BA
    5803AE7EFAA55456E4F5542780C369D1
    500F83FD3EC4DE7A06E8E42024A88E32
    66B3BFFE9B184FE65092A67A22B4869E

For the purpose of this question, we assume the following technical details:

  1. the IM service is text-only, binary data is not allowed (in an IM setting, sending primarily small binary fragments back and forth would probably raise suspicion anyway)
  2. communication between Alice and the IM service, Bob and the IM service, are both end-to-end encrypted. A government agent Eve has a copy of the decryption key the IM service used
  3. proof that the message is encrypted is not required. I.e. Eve does not need to know the plain text or the algorithm used to produce the cipher text. She only needs to tell, with a reasonably-low false-positive rate, if a message is the result of an encryption
  4. the endpoint is secure, no backdoor or malware on the computer/router, etc.

I’d like to know if there are any reliable research on this, is it feasible or not, and if feasible, any existing protocol or algorithm developed for this?

Eve, in case you are watching, I’m asking this for academic purposes only. 😄

Plain text file encryption

Context:

I have a custom tool which connects to remote servers using ssh, installs and deploys services. That tool only accepts a erlang tuple in textfile as input for server names and ssh credentials. i have a wrapper on top of the tool which generates erlang tuple text file . Now i trying to encrypt the text file using python Crypto . I am planning to encrypt the text file with user input key and while connecting to servers decrypt it for ssh connection and then am planning to encrypt the text file back once deployment is done.

My Question: can ssh sessions be made with encrypted text file ? also i have used ansible vault i past. Does ansible vault decrypts textfile before making ssh sessions internally ?

Is decrypting text file for ssh session and restoring the encrypted file back a security problem ? Appreciate your help.

Store passwords local with plain text access on WinPE

I have an application that needs to store Network Credentials for a Network Drive/Share on the disk. The user shouldn’t need to enter the password every time. The OS is WinPE, so he cannot map the drive once and it will stay there.

Limitation:

  • I need the password in plain text, to map the drive.
  • The program should work without an additional password that the user has to enter.

Thoughts:

  • Hash + Salt is not reversible, so I cannot get the password in plain text.
  • An encrypted password is not safe, because the program has to store the key. If someone looks inside the code he will get the key and decrypt the password.
  • I cannot use the “Protect Data” interface of windows, because I use WinPE. Protect Data Documentation

The program is written in C#. Maybe someone has a good idea about my problem. Thanks!

Keeping passwords in plain text in “value” attribute. Addons can use this for password leaking

Either there is a security hole or I’m missing information about something.

While I was testing how Surfingkeys addon works I’ve noticed that it has command yf to copy form content on current web page. I though about testing it on “Sign In” and “Log In” forms on few websites to see if it would be able to retrieve typed passwords in plain text. It was successful if standardized <form> tags were used.

Then I’ve noticed that in most web applications password is kept in <input value=""> attribute in plain text which to me seems like by-standard security hole for whole W3 stack (HTML, CSS, JS, etc.). If this addon was able to get password from DOM then any addon can do that. The only piece missing is sending that data to server of a 3rd party who are owners of such malicious addon – such situation already had place with Stylish.

So attack scenario looks like this:

  1. Company “mal1c1ous” buys popular web addon.

  2. They add to addon generic <form> parser script which retrieves data from <input value="">.

  3. For each known website they make their addon “decorate” submit buttons with script which on click 1st sends request with credentials to their server and then to host of that website. Or they just send requests each time parser script is able to get new data.

  4. After some time they perform an attack using gathered credentials.

I find that scenario possible show me that it can’t happen. Also my question is: given that is Web security flawed by design?

The thing is that no one discourages from using <input value=""> as a password holder it seems that there is no other option by standard. Web developers can only come up with their own ideas to obfuscate where a password is stored before request is made.

Should read-only text appear as plain text or in a read-only textbox?

Should I use labels for read-only information, or should I use read-only text boxes to maintain the look of the fields?

It seems to me that if something is in a textbox it implies there is some way to edit it, whereas plain text is explicitly read-only.

Update: While my question is similar to Locking input form fields, does it make sense?, mine is different in that I’m referring to fields that are never editable by anyone. It’s not based on the user’s rights or role.

mockup

download bmml source – Wireframes created with Balsamiq Mockups