Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira password exposed in Chrome Developer Tools

Hi All,

Our IT Security reached out suggesting Jira passwords are exposed within the firewall. We have implemented Secure LDAP and Jira is running behind Apache firewall, with a valid GoDaddy cert and accessible from HTTPS. Jira Software Server version is 8.8.0. Screenshot as follows that shows Form Data with exposed password.

JiraPW.PNG

 

Anyone successfully masked this on Atlassian applications? Much appreciate any suggestions/pointers.

 

Thanks,

Anand

2 answers

1 accepted

3 votes
Answer accepted
Daniel Eads Atlassian Team Feb 04, 2021

Hi @Anand Dandikar , great question - I can see how this could be concerning at first glance.

Although the connection between your browser and Jira (and Jira and your LDAP server) is encrypted, the endpoints have to have the decrypted data in order to do something with it. For example, when you type the password into the password field, your browser must have your raw (unencrypted) password in order to then encrypt it. This is what you're seeing in the developer tools. Chrome then encrypts the login and password before submitting it over the network.

The browser is going to be aware of your inputs - and there's no avoiding that. This isn't specific to Jira; it's any password field on any website. (see this Stack Overflow thread for more information)  But in order for an attacker to make use of that data, they'd need to have control over your local machine in order to extract it from Chrome before it becomes encrypted. At that point, they could also keylog your machine to intercept the characters before they even reach the browser.

I'm glad your IT team is considering application security! In this regard, the most important thing is making sure the connection is encrypted at the browser (Chrome will give you the padlock:

image.png

or throw some very angry warnings if the connection is not secure). With Apache running as a reverse proxy for Jira (presumably these are on the same machine / VM), and the connection encrypted between Apache and Chrome, you should be in good shape.

Cheers,
Daniel | Atlassian Support

Thanks @Daniel Eads  What you explained about data being encrypted after they leave the client makes sense. So, Apache doesn't go that far as to encrypt it directly from the login form, huh! It would be interesting to know how the packet transfer between client, to AD Server, Application server and database server once we hit login button on Jira. Any configurations possible at all from Apache or Tomcat's server.xml? Or any other way to encrypt it aside from Apache and Tomcat?

0 votes
Sudarshan TS Community Leader Feb 04, 2021

Hello @Anand Dandikar 
I just informed the Atlassian team about this and its being looked into.

is there a a proxy involved at your site.?

Sudarshan TS Community Leader Feb 04, 2021

ok there you go , @Daniel Eads  thank you for the immediate response.!

Like Dave Liao likes this

Thank you @Sudarshan TS, yes we are running Jira behind Apache reverse proxy and using HTTPS with GoDaday cert.

Like Sudarshan TS likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
8.8.0
TAGS
Community showcase
Published in Jira

Announcing the waitlist for Jira Work Management

Hey there Cloud Community members! We’re excited to give you the first glimpse of the new home for business teams on Jira — Jira Work Management. Jira Work Management is the next generation of J...

874 views 14 20
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you