Question

Create custom login with encryption for password

1

Hello everyone, The current condition, I using authentication widget for handling sign in on my web page. But when the web doing a pentest, the pentester give recommendation like below Based on the scenarios and risks given, we would like to provide some recommendations in order to prevent the exploitation from happening,including the following: Encrypt or hash the password in the request thoroughly, for all requests that consist of sensitive data. The case is the pentester can show password on the request body. From this case, I want to create a custom login which handle encryption on the client side to encrypt the password data. Can mendix handle encryption for this case? If yes, please explain step by step!

asked 2024-02-21

Fadil Fidrian

3 answers

Patrick K · Answer 1 · 2024-02-21

Hi Fadil,

With the Encryption module you can encrypt text inside microflows: https://marketplace.mendix.com/link/component/1011

I'm not sure if this will be enough for your use case though.

Robert Price · Answer 2 · 2024-02-21

Are you hosting your application using https? If you are, the request body should be encrypted as it passes from the client to the server.

Fadil Fidrian · Answer 3 · 2024-02-22

Thank you Mr Robert and Mr Patrick for the answer,

But in my case, we still not yet using SSL/https. Can we implement encryption on request body for handle this case without using them?

And for Mr Patrick, How to use this module to handling the login page? Because in the existing case I just using authentication widget from mendix and I can't find the configuration of this widget. Please explain step by step.

Thank you