The best part about my job is that I am constantly in a position to learn new things. I like to learn and discover new things. While troubleshooting a form-based authentication scheme in Oracle Access Manager (OAM) I found that you can test the login (i.e., verify the credentials) and bypass the login form by entering the the protected url with the login and password in the query string in the browser address bar. This is a really handy way to make sure that the credentials you are using are actually valid (and as I learned as a kid watching cartoons after school … knowing is half the battle).
i.e.,
http://server/protected/page.html?login=jsmith&password=MyPwd
Here is the snippet from Oracle’s documentation:
To make sure that the authentication scheme is set properly, you can attempt to access a resource protected with that authentication scheme, adding the credentials as query string parameters. This simulates a form whose method is GET without actually using the form.
For example, suppose the authentication scheme uses the following creds challenge parameter:
creds:login passwordIn this example, if the protected URL is http://server/protected/page.html, you could launch a browser instance and type the following:
http://server/protected/page.html?login=jsmith&password=MyPwd
Is there a way to hide this ?
This will breach the identity of the user.
How will it breach the identity of the user? You have to know the values of both the username and password.