Penetration Testing mailing list archives
RE: pen testing https portal?
From: "Nick Besant" <Nick.Besant () ioko com>
Date: Fri, 8 Sep 2006 11:08:06 +0100
-----Original Message----- mismail () postmaster co uk has any ever tested a https portal? basically i have a client who has constructed a https portal to all works logon on from anywhere and access apps and files. how it works is the username and pw are the users AD logon details, the pin is emailed to the user, so for example when the user logs on he has a button saying generate pin! now say for example he has a pin of 1234 when hits generate pin a picture comes up like this 1234567890 0192837465 so the user find his 1st number in his pin, and types the number below it, same with 234 and enters that into the pin field: username: bloggs pw: password pin: 0192 the pin is one time unique! has anyone ever come across a setup like this? sorry for the long post! hope you can help!
Maybe, few questions first though; 1. You mention a picture comes up - do you mean this is a CAPTCHA[1] style challenge ? If so, it's possible you can automate fetching the numbers with one of the CAPTCHA analysis tools. 2. Is the PIN challenge displayed before or after a successful logon; i.e. do you have to provide a valid username and password, then go to the PIN screen, then get access or do you get the PIN screen together with the logon boxes ? If it comes up first you could have a go at doing some pattern analysis. 3. Do you have a valid login + PIN already for the testing ? 4. Have you tried session-based attacks yet ? (although they could be changing session ID on successful login). [1] http://en.wikipedia.org/wiki/Captchas Regards, Nick Besant Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation and for other lawful purposes. Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee is authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express written confirmation. ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- pen testing https portal? mismail (Sep 07)
- Re: pen testing https portal? Nathan Keltner (Sep 08)
- Re: pen testing https portal? Paolo Scarabelli (Sep 10)
- <Possible follow-ups>
- RE: pen testing https portal? Nick Besant (Sep 08)
- Re: Re: pen testing https portal? mismail (Sep 10)
- Re: pen testing https portal? Richard Braganza (Sep 11)
- Re: pen testing https portal? Nathan Keltner (Sep 08)