Solved: How to hide Encrypted KVM values from Trace sessio...

Tana_Delg · 10-10-2023 05:04 PM

Hello, I'm currently attempting to pass encrypted KVMs as body parameters, but I've noticed that the trace session continues to display the values in an unencrypted format. How can I address this issue? Additionally, I'm curious whether these unencrypted values will be transmitted without any protection in the API call to the backend server.

KVM Policy:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<KeyValueMapOperations async="false" continueOnError="false" enabled="true" name="KVM-Get_Credentials" mapIdentifier="Credentials-Config">
    <DisplayName>KVM-Get_Credentials</DisplayName>
    <Properties/>
    <ExclusiveCache>false</ExclusiveCache>
    <ExpiryTimeInSecs>300</ExpiryTimeInSecs>
    <Get assignTo="private.login">
        <Key>
            <Parameter>login</Parameter>
        </Key>
    </Get>
    <Get assignTo="private.password">
        <Key>
            <Parameter>password</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

AssignMessage:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-Set-Qparams">
    <DisplayName>AM-Set-Qparams</DisplayName>
    <Properties/>
    <Set>
        <QueryParams>
            <QueryParam name="$login">{private.login}</QueryParam>
            <QueryParam name="$password">{private.password}</QueryParam>
        </QueryParams>
    </Set>
    <AssignVariable>
        <Name>target.copy.pathsuffix</Name>
        <Value>false</Value>
    </AssignVariable>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>

I would highly value any insights or information you could provide

dchiesa1

I like this answer.

It is an anti-pattern to insert secrets (like a password) in query parameters. Independent of your use of Apigee, you should not put secrets in QueryParam. No, the URL (including query) is not sent un-encrypted. If you are using HTTPS, then the URL is encrypted. But by convention, systems log the URL, including query params. That can cause a leakage of secrets. Read the article to understand more. Or read this OWASP article for something more formal. This is not an Apigee-specific thing. The recommendation to avoid putting secrets in HTTP Query params applies to all HTTP applications, interfaces, and systems.

Your post said

@Tana_Delg wrote:

I'm currently attempting to pass encrypted KVMs as body parameters,

But you used QueryParam in the AssignMessage policy. If you want body params, which I am taking to mean that you wish to use a content-type = application/x-www-form-urlencoded for the outbound message, you should use FormParam element in AssignMessage.

It is considered to be safe to pass secrets in FormParams (or in general, in the message body).

BUT

@Tana_Delg wrote:

I've noticed that the trace session continues to display the values in an unencrypted format.

Yes, you would need to set your Debug session configuration to mask "message.content" and "request.content" as well as "request.formparam.password" if you don't want these things to appear in the trace session. Read about data masking here. and I think there is an older screencast explaining data masking; if you search for it you may find it.

Good luck!

View solution in original post

Anandhu

Hi,
I think your trace session is showing the credentials after you added those parameters in the QueryParam variables. Once it's assigned to a normal variable which are non private, then it will be visible wherever you use those context variable in the flow. You cannot hide target.url since your private values are added there. It's always good if we avoid passing any sensitive data over the url.

Hope this helps.

dchiesa1

I like this answer.

It is an anti-pattern to insert secrets (like a password) in query parameters. Independent of your use of Apigee, you should not put secrets in QueryParam. No, the URL (including query) is not sent un-encrypted. If you are using HTTPS, then the URL is encrypted. But by convention, systems log the URL, including query params. That can cause a leakage of secrets. Read the article to understand more. Or read this OWASP article for something more formal. This is not an Apigee-specific thing. The recommendation to avoid putting secrets in HTTP Query params applies to all HTTP applications, interfaces, and systems.

Your post said

@Tana_Delg wrote:

I'm currently attempting to pass encrypted KVMs as body parameters,

But you used QueryParam in the AssignMessage policy. If you want body params, which I am taking to mean that you wish to use a content-type = application/x-www-form-urlencoded for the outbound message, you should use FormParam element in AssignMessage.

It is considered to be safe to pass secrets in FormParams (or in general, in the message body).

BUT

@Tana_Delg wrote:

I've noticed that the trace session continues to display the values in an unencrypted format.

Yes, you would need to set your Debug session configuration to mask "message.content" and "request.content" as well as "request.formparam.password" if you don't want these things to appear in the trace session. Read about data masking here. and I think there is an older screencast explaining data masking; if you search for it you may find it.

Good luck!

How to hide Encrypted KVM values from Trace sessions?