Penetration Testing mailing list archives
Re: username and Password sent as clear text strings
From: jfvanmeter () comcast net
Date: Tue, 20 May 2008 08:27:13 +0000
I never called it a password in clear text, I said it was a clear text string that contained a password. In my mind that is different then a clear text password. Just my two shiney centavos --John -------------- Original message ---------------------- From: "Matthew Zimmerman" <mzimmerman () gmail com>
In my opinion, if you want to mitigate this, don't use passwords. Use true challenge-response. Everything else proposed here is either obfuscation or doesn't really work in a web application environment. A VPN around a webserver only works if every user that needs access to that webserver can also access the vpn. This situation should NOT be described as a 'password in cleartext'. If you call SSL encryption (when using a decent symmetric algorithm), then this is not a cleartext issue... You've committed a man-in-the-middle attack by being the client AND the man-in-the-middle... That doesn't really get you anything. If you control the client, you control the connection. In this case, you told your client to trust a self-signed certificate with the name of "WebScarab" when you went to "OtherSite. Follow NIST SP 800-63 for more guidance -- http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-63--1 Matt Zimmerman On Wed, May 14, 2008 at 6:39 AM, <jfvanmeter () comcast net> wrote:Hello everyone, and I know this might not be the most correct place to postthis questions, but I was hoping to get some feedback on what you think the potential risk would be and how this this could be exploited.I completed a security review of a web server, that creates a SSL connectionbetween the cleint and the server. Using WebScarab, I could see that the username and password are sent as clear text strings. The log in to the server requires a administrative account.Do you think there is a large amount of risk, in sending the username andpassword as a clear text string, since the pipe is encrypted? I was thinking that a man-in-the-middle or sometype of session hijacking attack could allow the account to be compromised.I'm working on completing the report for my client and was hoping to get somefeedback from everyone so I could pose this to them correcly.Thank you in advance --John ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: username and Password sent as clear text strings, (continued)
- Re: username and Password sent as clear text strings jfvanmeter (May 16)
- Re: username and Password sent as clear text strings arvind doraiswamy (May 18)
- Re: username and Password sent as clear text strings Orlin Gueorguiev (May 18)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 18)
- RE: username and Password sent as clear text strings Marvin Simkin (May 19)
- Re: username and Password sent as clear text strings jfvanmeter (May 19)
- Re: username and Password sent as clear text strings christopher . riley (May 19)
- Re: username and Password sent as clear text strings jfvanmeter (May 21)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 22)
- RE: username and Password sent as clear text strings John Babio (May 22)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 22)
- Re: username and Password sent as clear text strings jfvanmeter (May 21)
- Re: username and Password sent as clear text strings arvind doraiswamy (May 21)
- RE: username and Password sent as clear text strings jfvanmeter (May 22)