I have a strange problem here. We ran an application security software (Burp Suite) in our machine and the tool was actually able to get the user id/password of Orchestrator login as plain text. Does that mean orchestrator doesn’t have the capability to encrypt userid/password we type? What can we do to make it more secure and encrypted like other web servers/web sites? Exposing the user id/password as plain text looks like a major threat to me. Even if we change the password, we can find out what’s old password and new password. Can anyone please help me here?
Burp Suite is acting as a proxy in this case. Instead of your machine connecting directly to Orchestrator to create a secure channel, it is connecting through Burp which is decrypting the traffic and showing it to you in plaintext. This only works if Burp is on the same machine that is making the calls and would not be able to decrypt calls from other machines.
You also seem to be making a POST call to send the credentials, meaning that the credentials originated in plaintext on your machine. The machine creates a TLS connection to Orchestrator to encrypt the traffic, ensuring that nothing besides Orchestrator and the machine are able to see the traffic. Burp is basically setup as a Man-in-the middle, so it can see the traffic. There is no vulnerability here though.
4 Likes
@Security_Kevin - Hi Kevin, Thank you for the insights. This concern was actually raised by one of the clients in Banking Sector. They have used something called Echo Mirage instead of Burp Suite I believe. And the complaint was actually about the user id/password coming out as plain text. To recreate I am just using the in-built browser inside Burp Suite to login to orchestrator. Rest everything is getting picked up by the tool itself.
I agree the connectivity is going through Burp which is why it’s able to decrypt. That makes sense.
If whatever you are saying is correct, I should be able to see the user ID/password for any web server/web sites which I access through Burp Suite right? But it’s not the case. They are coming as encrypted. How can it be? What I am trying to find out is, how can I make it encrypted similar to other websites where none of these tools are able to decrypt it? Can you please help me understand this?
If I got it right, this is still not a vulnerability, because the data is always encrypted to third parties that do not have access to your machine (and a malicious third party having physical access to the machine means a compromised system anyway).
But, just to have the full picture, could you maybe mention an example of another website that you checked out?
@loginerror - I got curious and checked my personal bank account. Accessed the bank website through Burp Suite and logged in. User ID is visible but password is coming as encrypted. 
I think this reply on Stack Exchange summarizes the topic pretty well:
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.
Palaniyappan
Shiva_Nikhil
Yoichi
Anil_G
lrtetala
sasi_poosarla
Ivan_Potgieter
Anish_Kumar2
joscares
Povilas_Jonikas