Penetration Testing mailing list archives
RE: username and Password sent as clear text strings
From: jfvanmeter () comcast net
Date: Fri, 16 May 2008 14:52:00 +0000
Hello uglyhunk, I aggree that the SSL tunnel is encrypted, and that makes it harder for someone to easydrop on the session....... I used the proxy software, to simulate a Man in the Middle attack . For this reason I think that the password should be hashing/encrypted I found the following links interesting http://isc.sans.org/diary.html?storyid=4420 http://www.sans.org/reading_room/whitepapers/threats/480.php http://forums.remote-exploit.org/showthread.php?t=9011 There are alot of tools for SSL MITM attacks dsniff is only one. Just my two shiny centavos --John -------------- Original message ---------------------- From: "uglyhunK" <uglyhunK () hippiecluB org>
Hey John, Firstly, SSL encrypts the entire traffic not just username/password. Coming to you being able to see username/password, that is because you are using proxy software. If you really want to confirm the actual traffic that goes through the wire, sniff it using wireshark or tcpdump which should show you some junk if the traffic is ssl. So, there is nothing to worry about. -uglyhunK -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]On Behalf Of jfvanmeter () comcast net Sent: Thursday, May 15, 2008 1:41 PM To: Todd Haverkos Cc: pen-test () securityfocus com Subject: Re: username and Password sent as clear text strings Good Morning Everyone and thank you all for you input. I don't believe a certificate was every presented to the browser, I'll double check that when I get on the client site this morning. I guess part of the problem I'm having with this, is the web app is owned by a very large company, and I just thought they would take the extra measure of hashing or encrypting the password. Take Care and Have Fun --John -------------- Original message ---------------------- From: Todd Haverkos <fsbo () haverkos com>jfvanmeter () comcast net writes:Hello everyone, and I know this might not be the most correct place topostthis questions, but I was hoping to get some feedback on what you thinkthepotential risk would be and how this this could be exploited.I completed a security review of a web server, that creates a SSLconnectionbetween the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to theserverrequires a administrative account.Do you think there is a large amount of risk, in sending the usernameandpassword as a clear text string, since the pipe is encrypted? I wasthinkingthat a man-in-the-middle or sometype of session hijacking attack couldallowthe account to be compromised.I'm working on completing the report for my client and was hoping toget somefeedback from everyone so I could pose this to them correcly.Thank you in advance --JohnHi John, Webscarab, like all intercepting web proxy programs I've used on https:// sites generally work by performing an intentional "man in the middle" between your web browser and the server in order to be able to show you what's being submitted to the server. Unless your browser is broken or badly configured, you should have gotten a certificate mismatch warning when first conencting to the site, and examination of the certificate that was presented to the browser will have Webscarab written all over. With that in mind are you _sure_ things are being passed in clear text, or are you just saying "hey I can read these form submission values just fine in webscarab!" If the latter, I don't think there's necessarily a concern, because by the nature of the tool you're using and you're okay'ing the certificate warning, you're letting the tool sees these values. Best Regards, -- Todd Haverkos http://www.linkedin.com/in/toddhaverkos------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs?, (continued)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 28)
- Re: username and Password sent as clear text strings Orlin Gueorguiev (May 15)
- Re: username and Password sent as clear text strings Matthew Zimmerman (May 19)
- Re: username and Password sent as clear text strings David Howe (May 21)
- Re: username and Password sent as clear text strings Matthew Zimmerman (May 22)
- Re: username and Password sent as clear text strings David Howe (May 23)
- Re: username and Password sent as clear text strings David Howe (May 21)
- Re: username and Password sent as clear text strings christopher . riley (May 15)
- Re: username and Password sent as clear text strings jfvanmeter (May 15)
- RE: username and Password sent as clear text strings jfvanmeter (May 15)
- RE: username and Password sent as clear text strings dseth (May 15)
- RE: username and Password sent as clear text strings jfvanmeter (May 16)
- Re: username and Password sent as clear text strings jfvanmeter (May 16)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 17)
- Re: username and Password sent as clear text strings jfvanmeter (May 16)
- Re: username and Password sent as clear text strings arvind doraiswamy (May 18)
- Re: username and Password sent as clear text strings Orlin Gueorguiev (May 18)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 18)
- RE: username and Password sent as clear text strings Marvin Simkin (May 19)
- Re: username and Password sent as clear text strings jfvanmeter (May 19)
- Re: username and Password sent as clear text strings christopher . riley (May 19)
- Re: username and Password sent as clear text strings jfvanmeter (May 21)