WebApp Sec mailing list archives
Re: [WEB SECURITY] SSL does not = a secure website
From: Bill Pennington <bill () whitehatsec com>
Date: Tue, 28 Mar 2006 16:24:12 -0800
I recently ran into the "click on a virtual keyboard" implementation. This one was all JavaScript based and worked by sending the coordinates back to the server. It was not any more secure than a form-based password since the password was basically sent in a URL string just in the form of coordinates. Replay of the coordinates worked just fine. I think this product was aimed at stopping the "Enter your username and password" type fishing attacks.
Now it is true SSL would stop some type of network sniffer from seeing this traffic however I think it would be trivial for a trojan to hook into the IE object and just pull click events out from there. I mean once you can install software on your target there is not much that can't be done so this are simply a bump in the road from what I have been able to determine.
On Mar 28, 2006, at 3:16 PM, James Strassburg wrote:
There are additional countermeasures that a web application can implement. For example, the app could have the user enter his/her password by clicking an onscreen keyboard or ask the user for randomcharacters from their password (enter the 2nd, 4th and 10th character of your password). I should state that while I've read about these I don'tknow of a web application that makes use of them. James Strassburg ________________________________ From: Ryan Barnett [mailto:rcbarnett () gmail com] Sent: Tuesday, March 28, 2006 8:10 AM To: Sebastien Deleersnyder Cc: Web Security; webappsec () securityfocus com Subject: Re: [WEB SECURITY] SSL does not = a secure website On 3/28/06, Sebastien Deleersnyder <sebastien.deleersnyder () ascure com> wrote: Their is nothing that a website can do to prevent keyloggers on the user's machine.Well, now that I think about it, that is not entirely true... Websitescould front-end their web apps with applications such as Sygate ( http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302 <http://www.symantec.com/Products/enterprise?c=prodinfo&refId=1302> )which can check the user's computer for some forms of malware (including keyloggers) and then place the user into a Java virtual machine to helpprotect user credentials. --------------------------------------------------------------------- The Web Security Mailing List http://www.webappsec.org/lists/websecurity/ The Web Security Mailing List Archives http://www.webappsec.org/lists/websecurity/archive/
--- Bill Pennington, CISSP, CCNA VP Services WhiteHat Security Inc. http://www.whitehatsec.com ------------------------------------------------------------------------- This List Sponsored by: SpiDynamicsALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation
https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Re: [WEB SECURITY] SSL does not = a secure website, (continued)
- Re: [WEB SECURITY] SSL does not = a secure website Nick Owen (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Mark Mcdonald (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Andrew van der Stock (Mar 28)
- RE: [WEB SECURITY] SSL does not = a secure website Lyal Collins (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Ryan Barnett (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Brian Eaton (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Bill Pennington (Mar 28)
- Re: [WEB SECURITY] SSL does not = a secure website Gervase Markham (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website Evert Collab (Mar 29)
- Re: [WEB SECURITY] SSL does not = a secure website michaelslists (Mar 28)