In Burp Suite during penetration testing, the input data passed from the client to the server is visible in both Burp Suite and Chrome DevTools. To secure this, should we encrypt the input parameters on the client side and decrypt them on the server side? Specifically, during login, when the username and password are validated, is there an alternative way to encrypt and decrypt data on both the client and server sides?
Hi Tamil,
You can consider using crypto.js on the client side to encrypt the data, and then use the Crypto API plugin in OutSystems to decrypt it on the server side. I recommend using RSA encryption, as it enables you to encrypt data with a public key on the client side and decrypt it with a private key on the server side—and vice versa if needed.
Hi @Sathish Karunakaran. I've tried the same way which u suggested its Working for me. Thanks!
Hi @Sathish Karunakaran , is it possible to hide the responses from Aggregates and Data Actions in the Network tab of Chrome Developer Tools?
I believe it's not possible, we can encrypt the data to enable security on sensitive data.
Thanks @Sathish Karunakaran for your response
Hi @Tamilselvan M ,
You can try to use CryptoAPI for your use-case.
Hi @Mihai Melencu,
Thanks for your Reply. CryptoAPI It Will Support Server-side encryption/decryption. How we can do client-Side Encryption and Server-side decryption
Hi @Tamilselvan M,
As @Mihai Melencu mentioned, you can try to use CryptoAPI, and if you want the encryption on the client-side, then you can wrap that encryption server action into the client action, and you use it where you want in your application. And you may keep using the decryption server action on the server-side.
hi @Tamilselvan M,
Client-side encryption of credentials is not a recommended security practice, as encrypted payloads remain vulnerable to interception and replay attacks. To mitigate this risk, implement rate limiting on login attempts as an additional protective measure.
Thank you.
Hi @Nilesh Trivedi
So is there any other Option to avoid showing Input parameters Data in Developer Tool
Can you please provide your API details?
Not in API, Client action Input Parameter Data Exposing in Developer tool
For Input Parameters, please check below things:
@Tamilselvan M : Please see if this discussion helps for encryption of data at the client side. @ https://www.outsystems.com/forums/discussion/86040/client-side-encrypt-and-decrypt-server-side/
btw what you are experiencing in Burp Suite is normal behaviour. Burp Suite acts as a proxy, intercepting the HTTP(S) requests sent from your browser to the server. If HTTPS is used, Burp decrypts the content using its self-signed certificate, which you’ve accepted to perform testing. Normally it is not required to encrypt the data as long as you are using https is used for communication.
Hi @Siya Thank you for your response. Whatever Input data we are Passing in Dolgin Action Its Visible in Chrome Developer tools also under Network Tab. is there any way to avoid this
@Tamilselvan M : Yes, this is expected behavior. The browser constructs requests and processes responses as part of normal operation, and when DevTools is open, it provides visibility into this data for debugging. HTTPS ensures encryption only during transmission; once the data reaches the browser, it is decrypted and can be inspected.