DEV Community

Ashish R Bhandari
Ashish R Bhandari

Posted on

(My) Simple Home Wifi Router Login Session Management(Cookie)

I saw this, while i was making a change in my Wifi Router Setting,

If i think from a Security Perspective:
Basically My Wifi Router Web Interface is very unsecure, well i think it should use a better approach, this is the worst possible,
I know about JWT, this is PWT(Plain Web Tokens) 😬
Let's see why...

Snap1: Shows Cookie With Content containing Username and Password in Bas64
image
So Over here, we can see The Cookie Header contains a HTTP Header (Authorization) in form a Cookie name&value and the value contains the username&password that i just entered.

Base64!!! Hmmm Nice

Snap2: A Closer look at Cookie Containing Username and Password in Bas64
image

Snap3: Dev Tools are amazing the Network Tab has a Column Initiator Tells from where this the Request Originated, the whole Stack Trace (Beginning from the Click Event Fired)
image

Snap3: Finally the Code how cookie was set, Basically by Client JS
image

If i think from a Router's Actual Work:
Then in that case it has nothing to do with the Web Interface.
Web Interface are for us to manage few things and that too mostly used in Internal Network

Behind the Scenes (My Mind Conversation & Thoughts)

But if someone who is part of the network but does not have access can SNIFF the Traffic and capture these details
But this is totally contradictory, since he could have SNIFFED the Initial Login Traffic and received the details and Also the Web Interface is usually over Plain HTTP.

Discussion (1)