RE: pen testing https portal?

["Nick Besant" <Nick.Besant () ioko com>]

> -----Original Message-----
> mismail () postmaster co uk
> has any ever tested a https portal?
>
>
>
> basically i have a client who has constructed a https portal 
> to all works logon on from anywhere and access apps and files.
>
>
>
> how it works is the username and pw are the users AD logon 
> details, the pin is emailed to the user, so for example when 
> the user logs on he has a button saying generate pin!
>
>
>
> now say for example he has a pin of 1234 when hits generate 
> pin a picture comes up like this
>
>
>
> 1234567890
>
> 0192837465
>
>
>
> so the user find his 1st number in his pin, and types the 
> number below it, same with 234 and enters that into the pin field:
>
>
>
> username: bloggs
>
> pw: password
>
> pin: 0192
>
>
>
> the pin is one time unique! has anyone ever come across a 
> setup like this?
>
>
>
> sorry for the long post!
>
>
>
> hope you can help!

Maybe, few questions first though;

1. You mention a picture comes up - do you mean this is a CAPTCHA[1]
style challenge ?  If so, it's possible you can automate fetching the
numbers with one of the CAPTCHA analysis tools.
2. Is the PIN challenge displayed before or after a successful logon;
i.e. do you have to provide a valid username and password, then go to
the PIN screen, then get access or do you get the PIN screen together
with the logon boxes ?  If it comes up first you could have a go at
doing some pattern analysis.
3. Do you have a valid login + PIN already for the testing ?
4. Have you tried session-based attacks yet ? (although they could be
changing session ID on successful login).

[1] http://en.wikipedia.org/wiki/Captchas


Regards,

Nick Besant





Communications on or through ioko's computer systems may be monitored or recorded to secure effective system operation 
and for other lawful purposes.

Unless otherwise agreed expressly in writing, this communication is to be treated as confidential and the information 
in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe 
that you are not the intended recipient of this communication, please contact the sender immediately. No employee is 
authorised to conclude any binding agreement on behalf of ioko with another party by e-mail without prior express 
written confirmation.

ioko365 Ltd.  VAT reg 656 2443 31. Reg no 3048367. All rights reserved.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------