Penetration Testing mailing list archives
RE: username and Password sent as clear text strings
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Thu, 15 May 2008 08:33:50 -0400
P.S. This recent posting on the Internet Storm Center site directly relates to what you're asking about...in particular, the ability to man-in-the-middle an SSL session...and possibly the ability to capture a session and crack it off-line. http://isc.sans.org/diary.html?storyid=4420 Seems like another area where perhaps defense in depth might be a good idea - that is, use SSL to encrypt the date in transit but also do something else to protect it. -------------sent yesterday That's certainly not ideal but it seems pretty common. The whole idea of SSL is to encrypt the traffic en-route so that makes it all ok, right;) The whole burden rests on doing SSL right and never having the user click ok on one of those boxes about the SSL hostname not matching. So, obviously it's a big deal if the ssl certificate is valid so they aren't training user to ignore those warnings. One other thing to check is that SSL is actually required. What happens if you go to the login page and manually switch it back to http - does it let you go? It seems like a lot of people kindof take that as an acceptable risk. It depends what is being encrypted...requiring an administrative account be used in that manner seems to add quite a bit to the to the risk. It needs to be a business decision....I'd try to build a reasonable scenario that would allow an attacker to gain access and then let the customer weigh the value of the data and the likelihood that someone will be that interested against the difficulty of the attack. BTW, this sounds like a great point to throw in a little discussion about how well the monitor their logs and how quickly they'd catch an attack or even an attempted attack. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of jfvanmeter () comcast net Sent: Wednesday, May 14, 2008 6:40 AM To: pen-test () securityfocus com Subject: username and Password sent as clear text strings Hello everyone, and I know this might not be the most correct place to post this questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited. I completed a security review of a web server, that creates a SSL connection between the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account. Do you think there is a large amount of risk, in sending the username and password as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised. I'm working on completing the report for my client and was hoping to get some feedback from everyone so I could pose this to them correcly. Thank you in advance --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- username and Password sent as clear text strings jfvanmeter (May 14)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- Re: username and Password sent as clear text strings Todd Haverkos (May 15)
- Collection of problems in production systems while pen-testing - "Butterfly effect" Adriano Leite (DHL CZ) (May 28)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- RE: username and Password sent as clear text strings Jones, David H (May 15)
- Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Jon Kibler (May 16)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Newton, Preston (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Rick Zhong (May 17)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 26)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Adriano Leite (DHL CZ) (May 28)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 28)
- Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)