Educause Security Discussion mailing list archives
Re: Vulnerability? Or...not so much?
From: David Shettler <dshettle () HOLYCROSS EDU>
Date: Sun, 4 Apr 2010 00:20:08 -0400
On Sat, Apr 3, 2010 at 11:27 PM, Charles Buchholtz <chip+educause () seas upenn edu> wrote:
If you think of the URI as a username/password, you probably already have Authentication/Authorization/Accounting standards for this situation. Think of the URI as a guessable part (the "username") and a non-guessable part (the "password").
Interesting perspective. In most cases, with that perspective, it would meet or exceed most requirements -- though, not brute force protection, and not centralized, etc.
A sixty minute password is worse than a one-time pad or two factor, but it's better than a password that is changed monthly. This might be better than your normal authentication, or it may be worse.
Indeed.
There are a couple of issues that are specific to this situation: 1) The "passwords" may meet your requirements for user chosen passwords, but they may be guessable by someone who knows or reverse engineers the algorithm. Besides users of your system who may generate many URI's looking for a pattern, you need to worry about users of the same application software at other sites.
And the fact that the software is, by many institutions (including ours until we discovered this), internet accessible.
2) What if a future upgrade or patch of the software starts using easily guessable URI's?
Thanks for the perspective. It provides some comfort? But I'm still concerned. It's written in java, so, I'm going to force a deeper pen test, and reverse engineer the class files to see what exactly is going on. File names generated in the same session only seem to differ by a few bits, and the epoch change. I have a feeling the algorithm used may also be flawed, but time (and effort) will tell.
Current thread:
- Vulnerability? Or...not so much? David Shettler (Apr 03)
- <Possible follow-ups>
- Re: Vulnerability? Or...not so much? Jason Testart (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Charles Buchholtz (Apr 03)
- Re: Vulnerability? Or...not so much? Matthew Wollenweber (Apr 03)
- Re: Vulnerability? Or...not so much? Gibson, Nathan J. (HSC) (Apr 03)
- Re: Vulnerability? Or...not so much? Dexter Caldwell (Apr 03)
- Re: Vulnerability? Or...not so much? David Shettler (Apr 03)
- Re: Vulnerability? Or...not so much? Steve Werby (Apr 04)
- Re: Vulnerability? Or...not so much? SCHALIP, MICHAEL (Apr 04)
- Re: Vulnerability? Or...not so much? Vik Solem (Apr 05)