During scanning my https website via owasp zap , I found that username and password information is not encrypted. What could be the reason and how to fix. Please see below screenshot of ZAP.
Asked
Active
Viewed 605 times
0
Muhammad Ali Khamis
- 137
- 1
1 Answers
5
OWASP ZAP is like a MITM proxy very similar to Burp suite.Ofcourse it can read the https because you must have installed a Root CA certificate while setting it up.There is nothing wrong with your website in regards to your question
yeah_well
- 3,804
- 1
- 15
- 32
-
I can see the information via chrome inspect. Is this still due to Root CA certificate? – Muhammad Ali Khamis Jul 25 '19 at 07:33
-
6@MuhammadAliKhamis If you mean the browser dev tools, well, obviously you can; the browser does all the encryption (and decryption) so it knows both the plaintext and the ciphertext, and the dev tools would be quite useless if they showed ciphertext instead of plaintext. – CBHacking Jul 25 '19 at 08:12
https://connection, so they are encrypted. – Gilles 'SO- stop being evil' Jul 25 '19 at 06:56And as @Jeroen-ITNerdbox hast stated, they get transmitted in clear text inside the encrypted channel.
– mhr Jul 25 '19 at 13:59