POST parameter value empty-tampering

[securitylove]

I am learning security testing of web application and couldn't find answer to my question online.

I tried to tamper POST request with Tamper Data on Mozilla ( application does not use SSL) .

Post Parameter Name tab has in JSON string parameter name and value in plain text ( username and password), and tab Post Parameter Value was empty.

Searching online I saw that parameter values are in POST parameter value box,

so is it mistake or security issue to be like in my case?

Thanks in advance,
Regards

 

[pro]

Sending username and password in plain text is a major security issue. Despite many sites doing this, it makes it easy for an attacker to get access to your server or application. Anybody wire sniffing the line can grab your username and password using a program such as wireshark or tcpdump. This is known as man in the middle attack.
Consider there could be 31000 daily login attempts blocked in the application and simply sending the username and password over the line will give criminals instant access.

To resolve this issue you could try to make the username and password unreadable. This is generally done using SSL, which makes it harder for cyber criminals to attack your application. SSL is not the holy grail to solve this problem because professional crackers do get passed them but it is better than plain text.

Another methods is Javascript client-side encryption such as http://www.jcryption.org/ or http://crypto.stanford.edu/sjcl/.
In this case you should use a public key encryption algorithm, because symmetric key algorithms require the password to be send in plain text over the line.

To increase the security of the application you could also prevent post requests from certain IP addresses using Access lists, prevent other browser signatures and add captcha verification to prevent brute force attacks.