I have a web site that accomplishes user login via ajax call over https. Obviously the request contains the password. Playing around with Firefox developer tools I noticed that I can inspect any network requests coming from my page including the request body ... and there is my password. I assume the request is being encrypted since its over https but the developer tools still shows it as plain text. Am I missing something? If a user logs in on a public machine and forgets to logout anyone can use developer tools to grab their password. Thanks in advance for any help you can provide.
-Mike
Everything is functioning by design – there's nothing wrong.
The browser's dev tools are intended to allow the user to inspect everything that's happening in the page – without that functionality, they'd be pretty useless. The dev tools' network tab shows HTTP data before it is encrypted.
In the public machine scenario, remember that the dev tools only show network requests that happened after the tools were opened, so an attacker can't just open the dev tools after the user leaves with your page up and see the plaintext auth request.
I can inspect any network requests coming from my page including the request body
No you can't - that's not yet network traffic - that's a HTTP datagram which is then passed through the SSL layer before it gets to the TCP stack.
If a user logs in on a public machine and forgets to logout anyone can use developer tools to grab their password
No, because unless the page developer is doing really stupid things, the browser does not store the information - you could only see it because your browser was configured to intercept the information and store it temporarily. But having said that there are a large number of things which can cause the browser to store authentication tokens - auto complete and password managers for a start (the latter vary greatly in the quality of their implementation, the former has little protection against disclosure). Authentication tokens should never be sent as GET parameters hence should not be visilible from the browser history.
