Moodle Login Form Encryption

Moodle Login Form Encryption

by Danielle Bryan Dizon -
Number of replies: 2

Good Day!

I'm having a dilemma configuring with Moodle's security.

When I try to login, the username and password typed in the login form can be seen in plain text when I intercept the site using Burp Suite.


Username and Password in plain text

Request Responses during form submitI


I have already done my part:

1. Hosting the whole site in HTTPS. (Site cannot be accessed thru http only).

2. Enabling "https for logins" in HTTP Security setting.

3. I checked what method is being used during form submit which is "POST".

4. My self-signed certificate is making my browser identify my moodle site as being "Secured" with a padlock icon.  (Properties: TLS 1.2, AES with 256 bit encryption (High); ECDH_P256 with 256 bit exchange).

My question is... is moodle capable of hashing or encrypting the username and password being submitted on the client side? I am also confused why https and TLS connection is not encrypting the login form during form submit.

are there any other solution to solve this vulnerability? Our Security Office found this issue during their Vulnerability and Penetration testing.

Thank you so much in advance for accommodating my concerns!

Average of ratings: -
In reply to Danielle Bryan Dizon

Re: Moodle Login Form Encryption

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

It's probably the self-signed cert that is tripping you up here.

Passwords are passed in plain text via ssl - that's how it usually works - there's usually no point encrypting the password at the client end because a hacker could just use that "encrypted" password when sending it to the server anyway. You should be able to find more reading on this by searching google.

Typically a self-signed cert will not be "trusted" within your browser - it should show a warning to the user that the cert is not trusted. (unless you have added the root CA cert for the self-signed certs to your browser - I really hope you haven't done this.)

I think burp suite might be operating as a proxy/man in the middle  - presenting you with a "fake" ssl cert so that it can decrypt the data in transit to the external server. You haven't been noticing this because you already have an "untrusted" cert being used on your server. 

In a typical scenario your web-browser would notice that the site is using an untrusted cert (the one presented by burp studio tool instead of the real one provided by your main site)

That's just an educated guess though - could be something else going on that I've missed here.

Average of ratings: -
In reply to Dan Marsden

Re: Moodle Login Form Encryption

by James McLean -

Dan is spot on, burp suite is a man in the middle proxy  tool, it presents a TLS connection to your browser and then decrypts and re-encrypts the data in the middle, before sending it to your server.

While running burp suite, you can inspect the self signed certificate in your browser and you will see it is signed by "portswigger" which is the company that sells the software.

Regardless of the certificate used (self signed, dv / ev, even expired) the traffic is still encrypted on the wire, and you could use software like wireshark to validate this.

The warning presented by the browser when encountering a self signed certificate is there for good reason, to alert users when bad things are happening - exactly like the man in the middle example presented!

If you have been running with self signed and your users are now trained to click through the warnings, that puts them at greater risk.


Average of ratings: -