WebApp Sec mailing list archives
Re: Summary: Growing Bad Practice with Login Forms
From: Stefan Paletta <stefanp () cabal1 com>
Date: Sun, 1 Aug 2004 01:11:26 +0200
athena () buyukada co uk wrote/schrieb/scripsit:
Again, using the passphrase example. On the first page the user submits their information to confirm who they are. On the second page they will perform secondary authentication but two characters will appear on the page. If the first stage authentication was correct, then the two characters will be from the user's agreed site authentication passphrase. If the first stage authentication failed, then two random characters (not part of the passphrase) will appear. If this is implemented correctly, only the user really knows if the first stage authentication worked. Cool, huh?
The attacker can act as a MITM and simply proxy the information from the first step to the original site, thereby having it disclose the correct string to present to the user. -Stefan -- junior guru SP666-RIPE JID:stefanp () jabber de cw net SMP@IRC
Current thread:
- RE: Summary: Growing Bad Practice with Login Forms, (continued)
- RE: Summary: Growing Bad Practice with Login Forms Yvan Boily (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Herman Frederick Ebeling Jr. (Jul 28)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 28)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 29)
- Re: Summary: Growing Bad Practice with Login Forms David Wall @ Yozons, Inc. (Jul 30)
- Re: Summary: Growing Bad Practice with Login Forms Murf (Jul 30)
- RE: Summary: Growing Bad Practice with Login Forms Mike Peppard (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Jimi Thompson (Aug 01)
- Re: Summary: Growing Bad Practice with Login Forms athena (Jul 31)
- Re: Summary: Growing Bad Practice with Login Forms Stefan Paletta (Jul 31)
- Re: Growing Bad Practice with Login Forms Steve (Jul 27)
- webpage _effective_ source (was Re: Growing Bad Practice with Login Forms) Laurian Gridinoc (Jul 28)
- Re: Growing Bad Practice with Login Forms athena (Jul 28)